|
|||
Openbsd 4.9 ftp as a client
Hello,
I'm trying to write rules to let the ftp go out. My OpenBSD acts as a client and pf is located on that same machine. There is no other filtering. I use OpenBSD 4.9 and the syntax differs from one version to another (betwen 4.8 and 5.0). I've done these actions I've started ftp-proxy PHP Code:
I've added those rules in pf.conf PHP Code:
PHP Code:
I've reloaded the rules PHP Code:
The control channel works but as soon as I start the data channel it doesn't (for example ls in ftp) PHP Code:
And this rule do not match PHP Code:
Does anyone have an idea ? |
|
|||
ftp-proxy will only work for clients who connect through the machine:
For allowing ftp connections initiated by the ftp-proxy box, itself you have to open port 21 for the ftp command channel. The ftp data channel need ports >1024. If you don't want to leave such a wide range of ports open you could use a pf 'anchor' to temporarily open this >1024 range. Or you could only open this range for a small selection of ftp servers, for example some of he nearest by OpenBSD ftp mirrors. I
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Hello,
Thank you for pointing out the right direction. I will no longer try to search towards ftp-proxy. I have written these two rules PHP Code:
I have read the faq about anchors but I don't get how to use it. I think it starts like this. PHP Code:
Do you know how to do this ? |
|
|||
I am not using an anchor, I use the following on my workstation:
Code:
table <ftp_sites> { ftp.openbsd.org ftp.eu.openbsd.org anga.funkfeuer.at ftp.wu-wien.ac.at ftp.nluug.nl ftp5.usa.openbsd.org ftp3.usa.openbsd.org obsd.cec.mtu.edu ftp.halifax.rwth-aachen.de ftp.dk.freebsd.org } table <ftp_local> { 192.168.222.0/24 } # -- sysctls # net.inet.ip.porthifirst=49152 # net.inet.ip.porthilast=65535 FTPfirst = 49152 #FFTPlast = 65535 # -- outgoing ftp pass out quick on egress inet proto tcp from egress to <ftp_sites> port ftp label "$nr:$proto:FTP_CMD_OUT" pass out quick on egress inet proto tcp from egress port >= 1023 to <ftp_sites> port >= $FTPfirst label "$nr:$proto:FTP_DATA_OUT" # allow local network clients to access ftp server on workstation pass in quick on egress inet proto tcp from <ftp_local> to egress port ftp label "$nr:$proto:FTP_CMD_IN" pass in quick on egress inet proto tcp from <ftp_local> port >= 1023 to egress port >= $FTPfirst label "$nr:$proto:FTP_DATA_IN" Quote:
Quote:
Not too difficutl isn't it Yes, I know, been there too. Sometimes we fail to see the forest, because there are so many trees
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Hello,
First thank you for your answers. I got confused when I read the word dynamic. From what I understand now is that you use anchors when you want to add a rule without reloading all the rules. I understood previously that pfctl would create new rules if a condition is matched (if I go on a certain IPDest/PortDest, it add rule X) From what you wrote previously: 1) On your work station, you give a very limited access to external ftp sites and you use tables=> Ideally I would like to have access to any site 2) The anchors method that you used requires a manual action, it's kind of dynamic but I can't say it is in my dream scenario that I wrote above =) Reading your pf configuration, I have another question. What is the difference between portfirst/last and porthifirst/last ? Trust me, I already read man 3 sysctl before asking the question and the trees are still hiding the forest. It says Quote:
When my OpenBSD is going to do an http or ftp request, it's going to use the hi port, correct ? In which case, would it use the range 1024-49151 then ? Merry Christmas |
|
|||
According to http://en.wikipedia.org/wiki/Registered_port
Quote:
It is easy to check if you start tcpdump before running a local ftp session with ftp localhost Code:
$ sudo tcpdump -eni lo0 tcpdump: listening on lo0, link-type LOOP 127.0.0.1.1268 > 127.0.0.1.21: S 127.0.0.1.21 > 127.0.0.1.1268: S A 127.0.0.1.1268 > 127.0.0.1.21: A Here the source port is >1023 Code:
$ netstat -an -f inet Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 127.0.0.1.21 127.0.0.1.1268 ESTABLISHED tcp 0 0 127.0.0.1.1268 127.0.0.1.21 ESTABLISHED tcp 0 0 *.21 *.* LISTEN It also shows that there is service LISTENing on port 21. This is the ftpd daemon. Setting up a daemon to LISTEN to a port <1024 requires root privilege. When I do a ftp 'ls', the ftp data channel is set up with Code:
127.0.0.1.24290 > 127.0.0.1.50320: S 127.0.0.1.50320 > 127.0.0.1.24290: S A 127.0.0.1.24290 > 127.0.0.1.50320: A Another ftp 'ls' creates a new data channel, with the same ranges used Code:
127.0.0.1.4326 > 127.0.0.1.60464: S 127.0.0.1.60464 > 127.0.0.1.4326: S A 127.0.0.1.4326 > 127.0.0.1.60464: A Code:
127.0.0.1.29882 > 127.0.0.1.52039: S 127.0.0.1.52039 > 127.0.0.1.29882: S A 127.0.0.1.29882 > 127.0.0.1.52039: A Code:
Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 192.168.222.20.25960 192.168.222.10.22 ESTABLISHED Code:
Proto Recv-Q Send-Q Local Address Foreign Address (state) udp 0 0 192.168.222.20.34895 85.12.29.43.123 udp 0 0 192.168.222.20.17778 131.211.8.244.123 udp 0 0 192.168.222.20.6308 87.195.109.207.123
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 25th December 2011 at 02:24 AM. |
|
|||
Thank you for this example. I have looked at my pf logs and found the same.
But correct me if i'm wrong, these tests are in contradiction with what's written in wikipedia. Quote:
Isn't it illogical ? |
|
|||
English is not my native language, I had to look up what ephemeral meant
But you have to differentiate between source ports and destination ports. The client, usually the one initiating the connection, uses a source port randomly chosen from the 1024-49151range. The destination port can be one of all three ranges, <1024, 1024 - 49151, or >49151 A ssh connection uses destination port 22, a connection to a mysql server port 3306, and as I posted previously, a short-lived ftp data channel connection uses the >49151 range. Quote:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thank you. I think this is now clear to me.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Which mail client do you use? | guitarscn | Off-Topic | 17 | 11th November 2010 03:12 PM |
OBSD client hangs mounting NFS; Linux client doesn't | amorphousone | OpenBSD General | 7 | 26th August 2010 05:21 AM |
Server-Client | c0mrade | Programming | 3 | 18th March 2009 05:22 PM |
IM Client | schrodinger | OpenBSD Packages and Ports | 6 | 16th September 2008 02:09 PM |
DDNS Client | revzalot | OpenBSD Installation and Upgrading | 3 | 12th August 2008 02:21 AM |