DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd October 2009
frenchviking frenchviking is offline
New User
 
Join Date: Oct 2009
Posts: 2
Default Log ftp packet on PF with ftp-proxy on

Hello,

I'm trying to log FTP connexions coming from WAN to a FTP server through my PF which have ftp-proxy set on.

FTP connexions are all ruled like this :

Code:
rdr pass on $ext_if proto tcp from <adminssh> to $crt_lr port 21 -> 127.0.0.1 po
rt 8021
My rule which is the last logging rule looks like this :

Code:
pass in log on $ext_if proto tcp from any port 21 to <filtre_ftp> label filtreftp
In my table <filtreftp> I have multiple FTP server IP addresses.

I launch a pflogd with this way :

Code:
pflogd -s 116 -i pflog0 -f /var/log/pflog.ftp ruleset filtreftp
And then to check my rule I do a tcpdump :

Code:
tcpdump -ttt -e -r /var/log/pflog.ftp
My problem is that nothing is logged (or not what I want). I tried so many ways but it is impossible to log FTP connexions. I tried with success to log SSH and RDP connexions. So I think ftp-proxy may be the cause of my troubles.

Am I right?

I'm not very familiar with PF (2 weeks practicing).

Forgive me if I made some English error or if I'm not very clear.

Thanks.
Reply With Quote
  #2   (View Single Post)  
Old 22nd October 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Because ftp-proxy creates pf rules "on the fy", or dynamically you cannot have pf log the way you tried

A very simple way to do this logging is using the -v or -vv flag. From the ftp-proxy man page:
Code:
-v      Set the 'log' flag on pf rules committed by ftp-proxy.  Use twice
             to set the 'log-all' flag.  The pf rules do not log by default.
Another way to log is to use the -D flag
Code:
     -D level
             Debug level, ranging from 0 to 7.  Higher is more verbose.  The
             default is 5.  (These levels correspond to the syslog(3) levels.)
IIRC this will log to "/var/log/daemon".
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 23rd October 2009
frenchviking frenchviking is offline
New User
 
Join Date: Oct 2009
Posts: 2
Default

Thanks for your answer!

The ftp-proxy -v seems not working, but the -D 7 flag is perfectly working. I can see source and destination connexion.

Have any idea how can I filter this rule to only log a table (of IPs) declared in pf.conf? I maybe have hundreds of IPs and only need to log about 20.

Where are logged the rule when launching ftp-proxy -v ? pflog? My rule should looks like this ?

Code:
pass log on $ext_if proto tcp from any user proxy
Thanks again for you extremely useful help!!!
Reply With Quote
  #4   (View Single Post)  
Old 23rd October 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

RE: starting ftp-proxy and passing -v option to

You can enable ftp-proxy in /etc/rc.conf.local by adding
Code:
ftpproxyflags="-v -D7"
RE: your logging rule

Depending on what exactly you want to log, you many not need to make a rule with logging. ftp-proxy dynamically attaches rules to the NAT and RDR anchors.
Please refer to http://www.openbsd.dk/faq/pf/ftp.html#natserver for an example.
See http://www.openbsd.dk/faq/pf/anchors.html for more info about anchors.

RE: table defined logging

I don't think you can do that with the pre-fabricated rules that ftp-proxy attaches to the anchors.

Because of a house move my network lab is still unpacked in the garage, else I would try to figure it out for you
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
sshguard and packet filter sputnik OpenBSD Security 0 18th April 2009 02:11 PM
Packet Sniffer for OpenBSD. bsdnewbie999 OpenBSD General 6 26th October 2008 02:28 AM
packet filter configuration. bsdnewbie999 OpenBSD General 1 23rd October 2008 08:54 AM
vr0: rx packet lost tutosun FreeBSD General 4 13th September 2008 10:13 AM
question about Packet Filter (pf) milo974 OpenBSD Security 2 31st July 2008 01:39 PM


All times are GMT. The time now is 08:10 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick