DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th August 2008
kasse kasse is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 67
Default Trouble with ftp with pf enabled

On my freebsd 7.0 I can't establish ftp connections with pf enabled.

first I had ftp added to the standard tcp_sevices allowed to pass out with keep state ala
Code:
 pass out proto tcp to any port ftp
then I could access the ftp sites but I could not receive any data back, e.g using ls or pwd, I would get some reply about that the operation was not permitted and the connection would close.

second I tried method described in ftp-proxy but then I cannot even connect to any ftp.

Here is the pf.conf: I confess that it may seem stupid on my home desktop, but I wanted to get a feeling for pf.
Code:
# define some outgoing services
tcp_services = "{ssh, smtp, domain, https, www, auth, imaps}"
udp_services = "{domain}"

# define some macros
ext_if = "em0" #to wireless router via cable
ftp_proxy = "127.0.0.1" #where ftp-proxy is attached
ftp_proxyport = "8021"

# define some trusted hosts
table <trusted> { 192.168.0.102 }

# don't filter loopback
set skip on lo0

# sort out the the meaningfull and assemble those
scrub in all

#define some anchors
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#define som redirection
rdr pass on $ext_if proto tcp from any to any port ftp -> \
    $ftp_proxy port $ftp_proxyport

#### the filter rules
block all
anchor "ftp-proxy/*" {
   pass out proto tcp from $ftp_proxy to any port ftp keep state
}
pass out on $ext_if proto tcp to any port $tcp_services keep state
pass on $ext_if proto udp to any port $udp_services keep state

#allow incoming from trusted lan address but log it
pass in log on $ext_if proto tcp from <trusted> to any port ssh
As always since I'm not familiar with this and a bit slow I, issue a idiot warning.
Reply With Quote
  #2   (View Single Post)  
Old 24th August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default

Have a look at what jleal posted at the end of this thread; http://www.daemonforums.org/showthread.php?t=1695
Reply With Quote
  #3   (View Single Post)  
Old 24th August 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

On a stand-alone box you cannot use the ftp-proxy from pf. This proxy needs two physical interfaces, an external NIC and an internal one.

ftp-proxy listens on the internal NIC to intercept ftp traffic from the internal LAN.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 24th August 2008
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 652
Default

I have a very dated page on pf at http://home.nyc.rr.com/computertaijutsu/pf.html

At the end, in the odds and ends sections, I talk about it. Most of the detailed guides about ftp are all about using an ftp server, rather than a client. It can be confusing, because many of them don't really seem to specify that, they just talk about ftp. I think it was actually j65nk0 who straightened me out on this.
Reply With Quote
  #5   (View Single Post)  
Old 24th August 2008
kasse kasse is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 67
Default

Funny that this thread did not show up when I searched the forums for "pf ftp". Now I at least see the solution to the problem with no proxy, that I must allow outgoing to any port for the negotiated data connection, as mentioned by J65nko.

So is that the only way then since the proxy works on two separate interfaces. I not sure I understand how the ftp-proxy works for this to be a problem. No way to trick the ftp-proxy?
Reply With Quote
  #6   (View Single Post)  
Old 24th August 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

I tried once, but I haven't found a way to trick ftp-proxy to run on a single interface.

You could add the ftp rules to a pf anchor and disable them when you don't need ftp. Remember that the ports use ftp

Another option could be to store the allowed ftp sites in a table and make the ftp rules only applicable to these sites. But if you add software by using the FBSD ports mechanism, this becomes very difficult.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 24th August 2008
kasse kasse is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 67
Default

yeah, I was just reading through the tajitsu of scottro and the anchor in the external file seems like a nice option if I somehow make it automatically read in each time I use pkg_add and then flushed.
Reply With Quote
  #8   (View Single Post)  
Old 24th August 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Quote:
Originally Posted by kasse View Post
yeah, I was just reading through the tajitsu of scottro ...
IIRC I suggested this to Scott quite some ago on bsdforums.org
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 24th August 2008
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 652
Default

See post #4's last sentence.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
LCD Backlight Trouble zer0x OpenBSD General 3 24th July 2009 08:22 AM
dd+user=trouble graudeejs FreeBSD Security 4 26th September 2008 03:48 PM
Marvell Yukon driver cannot load with ACPI enabled GullibleJones FreeBSD General 2 15th September 2008 02:58 PM
Trouble with ZFS switch dewarrn1 FreeBSD General 2 11th September 2008 11:58 PM
Problem using pkg with pf enabled aleunix FreeBSD Security 2 25th July 2008 11:43 PM


All times are GMT. The time now is 09:28 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick