DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th January 2017
NZKshatriya NZKshatriya is offline
Real Name: David Nazzaro
New User
 
Join Date: Jan 2017
Location: San Antonio, TX
Posts: 1
Default OpenBSD 6.0: ftp configuration

Hi all.

New here and looking for some help.

Just finished my first day of a practicum/internship, and currently the instructor and I are stuck on getting ftp to transmit/receive.

I am looking for in depth/detailed information on configuring pf/rules to allow for incoming and outgoing ftp traffic, and also how to correctly configure ftp-proxy.

More in depth information on the use of anchors would also be of help, as the information contained in the official OpenBSD faq, leaves much to be desired and has almost no troubleshooting value.
Reply With Quote
  #2   (View Single Post)  
Old 10th January 2017
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 122
Default

check out "The Book of pf" 2nd edition by Peter Hansteen
No starch press ISBN-10: I59327-274-X
ISBN-13: 978-I-59327-274-6
Reply With Quote
  #3   (View Single Post)  
Old 10th January 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,934
Default

Quote:
Originally Posted by NZKshatriya View Post
... the information contained in the official OpenBSD faq, leaves much to be desired...
Hmmm. The Issues with FTP section give example rules for three different scenarios. Which of these scenarios are causing problems?
Quote:
... and has almost no troubleshooting value.
Troubleshooting PF requires the use of the log option on your rules, and the use of tcpdump(8) with either pflog(4) for real time analysis or pflogd(8) files for a posteriori analysis.
Reply With Quote
  #4   (View Single Post)  
Old 10th January 2017
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,503
Default

The following is my setup on an OpenBSD firewall running on an Alix system. It allows clients on my home network to ftp to servers on the Internet

If you are trying to protect a ftp server with a firewall configuration you need a somewhat different approach


Ftp uses 2 TCP communciation channels:
  1. Command channel using destination port 21

    This channel persists during a ftp session
  2. Data channel using a destination port >1024 suggested by the ftp client (in the data stream of the command channel)

    This channel is setup and torn down for each individual data transfer. Because the always changing port numbers this is difficult to filter with a firewall. This is made simple by using ftp-proxy(8).

On my OpenBSD 5.8 firewall. I configured ftp-proxy(8) in /etc/rc.conf.local
Code:
ftpproxy_flags="-T FTP_DATA"
This "tags" or labels the data streams with the tag FTP_DATA

To allow this traffic in the firewall rule set:

Code:
# --- ftp-proxy tags the ftp data connection packets. See /etc/rc.conf.local
# 
pass out quick     on egress inet tagged FTP_DATA

The proxy itself listens on the the loopback 127.0.0.1 interface port 8021. The ftp command channel is diverted in pf.conf with:
Code:
# ---- internal network interface
anchor "ftp-proxy/*"
pass in quick on internal inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
But it still needs permission to pass out the command channel on the external/egress interface:
Code:
pass out quick on egress inet proto tcp from any to any port = 21
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD as Mail server, can you check my configuration? wjuq OpenBSD General 4 12th February 2014 01:36 PM
OpenBSD Gnome Configuration Problem threaderslash OpenBSD Packages and Ports 7 29th August 2011 10:22 AM
WindowMaker 0.92.0p7 (OpenBSD 4.4/i386 Packages) configuration issue. xixobrax OpenBSD General 1 3rd May 2009 04:04 PM
k3b, configuration. maxrussell FreeBSD Ports and Packages 4 3rd March 2009 04:23 AM
Working Configuration for Openbsd 4.0 - Postfix - SASL - TLS roundkat Guides 0 4th May 2008 05:38 PM


All times are GMT. The time now is 03:04 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick