OpenBSD 6.0: ftp configuration

[NZKshatriya]

Hi all.

New here and looking for some help.

Just finished my first day of a practicum/internship, and currently the instructor and I are stuck on getting ftp to transmit/receive.

I am looking for in depth/detailed information on configuring pf/rules to allow for incoming and outgoing ftp traffic, and also how to correctly configure ftp-proxy.

More in depth information on the use of anchors would also be of help, as the information contained in the official OpenBSD faq, leaves much to be desired and has almost no troubleshooting value.

[frcc]

check out "The Book of pf" 2nd edition by Peter Hansteen
No starch press ISBN-10: I59327-274-X
ISBN-13: 978-I-59327-274-6

[jggimi]

Quote:

Originally Posted by NZKshatriya

... the information contained in the official OpenBSD faq, leaves much to be desired...

Hmmm. The Issues with FTP section give example rules for three different scenarios. Which of these scenarios are causing problems?

Quote:

... and has almost no troubleshooting value.

Troubleshooting PF requires the use of the log option on your rules, and the use of tcpdump(8) with either pflog(4) for real time analysis or pflogd(8) files for a posteriori analysis.

[J65nko]

The following is my setup on an OpenBSD firewall running on an Alix system. It allows clients on my home network to ftp to servers on the Internet

If you are trying to protect a ftp server with a firewall configuration you need a somewhat different approach


Ftp uses 2 TCP communciation channels:

1. Command channel using destination port 21
   
   This channel persists during a ftp session
   
2. Data channel using a destination port >1024 suggested by the ftp client (in the data stream of the command channel)
   
   This channel is setup and torn down for each individual data transfer. Because the always changing port numbers this is difficult to filter with a firewall. This is made simple by using ftp-proxy(8).

On my OpenBSD 5.8 firewall. I configured ftp-proxy(8) in /etc/rc.conf.local

Code:

ftpproxy_flags="-T FTP_DATA"

This "tags" or labels the data streams with the tag FTP_DATA

To allow this traffic in the firewall rule set:

Code:

# --- ftp-proxy tags the ftp data connection packets. See /etc/rc.conf.local
# 
pass out quick     on egress inet tagged FTP_DATA

The proxy itself listens on the the loopback 127.0.0.1 interface port 8021. The ftp command channel is diverted in pf.conf with:

Code:

# ---- internal network interface
anchor "ftp-proxy/*"
pass in quick on internal inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

But it still needs permission to pass out the command channel on the external/egress interface:

Code:

pass out quick on egress inet proto tcp from any to any port = 21