|
|||
Ftp & pf
Now that I have almost everything working I am left with my final hurdle; FTP.
My ftp sessions freeze up after issuing the 'LIST' command, until the session times-out. FTP-Proxy command: ftp-proxy -p 8021 -R 192.168.0.101 -P 21 -D7 -v -d -a 50.x.x.x Results: #8 accepted connection from 72.38.43.86 #8 FTP session 1/100 started: client 72.38.43.86 to server 192.168.0.101 via proxy 50.x.x.x #8 server: 220 ProFTPD 1.3.5rc3 Server (Debian) [50.115.176.101]\r\n #8 client: USER bsd_matt\r\n #8 server: 331 Password required for bsd_matt\r\n #8 client: PASS password\r\n #8 server: 230 User bsd_matt logged in\r\n #8 client: SYST\r\n #8 server: 215 UNIX Type: L8\r\n #8 client: PWD\r\n #8 server: 257 "/" is the current directory\r\n #8 client: PASV\r\n #8 server: 227 Entering Passive Mode (50,x.x.x,127,143).\r\n #8 passive: client to server port 32655 via port 54291 #8 proxy: 227 Entering Passive Mode (127,0,0,1,212,19)\r\n #8 client: LIST\r\n #8 client: ABOR\r\n ************************************************** *********** pf.conf: # The name of your virtual internal NIC group ext_if = "em0" int_if = "em2" testbench_pub_ip = "50.x.x.x" testbench = "192.168.0.101" icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types set block-policy drop set loginterface egress set loginterface em0 set loginterface em2 set limit { states 1000000, src-nodes 100000, tables 1000000, table-entries 1000000 } set skip on { lo0, $int_if } match in log all scrub (no-df) # NAT match out log on egress inet from !(egress:network) to any nat-to (egress:0) block in quick inet6 all block out quick inet6 all block in log all pass out log inet keep state pass in log on { $int_if } match out on $ext_if inet from $int_if nat-to ($ext_if) anchor "ftp-proxy/*" pass in log on $ext_if inet proto tcp to $testbench_pub_ip port ftp flags S/SAFR modulate state rdr-to 127.0.0.1 port 8021 pass out log on $int_if inet proto tcp to $testbench port 21 user proxy ************************************************** * |
|
|||
Running OBSD v5.4
The divert-to change didn't help. After running: 09:36:34 root@tng # pfctl -vv -a ftp-proxy/19725.7 -sr @0 pass in log quick on rdomain 0 inet proto tcp from 72.38.43.86 to 50.x.x.x port = 57241 flags S/SA keep state (max 1) rtable 0 rdr-to 192.168.0.101 port 31705 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 71 pid 19725 State Creations: 0 ] @1 pass out log quick on rdomain 0 inet proto tcp from 72.38.43.86 to 192.168.0.101 port = 31705 flags S/SA keep state (max 1) nat-to 50.x.x.x my ftp server (proftpd) is setup as follows: Masquerading address: 50.x.x.x Passive Ports: 30000:35000 Last edited by bsd_matt; 12th December 2013 at 02:49 PM. |
|
||||
I think I see another issue - you are using -a rather than -b with ftp-proxy. No state is established, according to your pfctl output, and this could be the reason.
Please review the Issues with FTP chapter of the PF User's guide, in particular, the section FTP Server Protected by an External PF Firewall Running NAT for recommended ftp-proxy flags and recommended filter rules, which you are not using. |
|
|||
PF.conf:
ext_ip = "50.115.x.x" ftp_ip = "192.168.0.101" match out on $ext_if inet from $int_if nat-to ($ext_if) anchor "ftp-proxy/*" pass in on $ext_if inet proto tcp to $ext_ip port { ftp, ftp-data } divert-to 127.0.0.1 port 8022 pass out on $int_if inet proto tcp to $ftp_ip port { ftp, ftp-data } user proxy ================================================== ===== ftp-proxy: ftp-proxy -d -D7 -v -p 8022 -R 192.168.0.101 -P 21 This results in the same situation. As soon as I get this working I have 10 other ftp servers I need to allow through. An old OBSD v4.8 box currently works with these settings: old pf.conf: pass in log on $ext_if proto { tcp, udp } from any to 38.x.x.x port { ftp ftp-data } rdr-to $upload_ip . . pass in log on $ext_if inet proto tcp from any to $server_1 port ftp flags S/SAFR modulate state rdr-to 127.0.0.1 port 8022 pass in log on $ext_if inet proto tcp from any to $upload_ip port ftp flags S/SAFR modulate state rdr-to 127.0.0.1 port 8023 pass in log on $ext_if inet proto tcp from any to $server_2 port ftp flags S/SAFR modulate state rdr-to 127.0.0.1 port 8024 and ftp-proxy: /usr/sbin/ftp-proxy -p 8022 -R 192.168.0.226 -P 21 /usr/sbin/ftp-proxy -p 8023 -R 192.168.0.152 -P 21 /usr/sbin/ftp-proxy -p 8024 -R 192.168.0.111 -P 21 ############################ What I fail to understand is how/why the old gateway works fine but the new settings do not. Last edited by bsd_matt; 12th December 2013 at 04:18 PM. |
|
|||
Interesting development;
I can replicate the results (of it not working) with these lines in my pf.conf: pass in on $ext_if proto tcp to $testbench_pub_ip port 21 rdr-to $testbench pass in on $ext_if proto tcp to $testbench_pub_ip port 30000:35000 So what does that tell me? Perhaps ftp-proxy isn't working as it should? |
|
||||
Your new rules do not use the -b option of ftp-proxy, as the PF User's Guide recommended. It is my guess that you will want this set to your external 50.x.x.x
Code:
-b address Address where the proxy will listen for redirected control connections. The default is 127.0.0.1, or ::1 in IPv6 mode. Quote:
Quote:
Quote:
Last edited by jggimi; 12th December 2013 at 05:03 PM. Reason: typo |
|
|||
Thank-you....
Your reply was very welcome. And it actually cleared up a few questions that I had. Thank-you.
I have removed the -b option so now the ftp-proxy command looks like this: ftp-proxy -d -D7 -v -p 8022 -R 192.168.0.101 -P 21 -r While I stated that [begin whine mode] I don't understand why this isn't working [/end whine mode], I actually do understand that the syntax and commands have changed. I know that the old rule-set won't work as a copy/paste. I was just trying to express some frustration, and I am sorry that i took it out on you. As best I can tell the communication between server & client is failing after the client logs in, and the server tries switching to a new port (PASV mode). [code] #4 client: PASV\r\n #4 server: 227 Entering Passive Mode (50,115,176,101,126,164).\r\n #4 passive: client to server port 32420 via port 50220 #4 proxy: 227 Entering Passive Mode (50,115,176,101,196,44)\r\n #4 client: LIST\r\n [\code] Is it possible that the client isn't getting this data? Am I missing a " pass out ALL" style statement in my pf.conf? In the client I see this message : 227 Entering Passive Mode (50, 115,176,101,214,39) LIST So the client is getting the information, and trying to connect, but the firewall isn't allowing the new connection. Update: While using FileZilla I get a new error that I haven't seen before. Command: PWD Response: 257 "/" is the current directory Command: PORT 192,168,1,125,127,38 Response: 200 PORT command successful Command: MLSD Response: 425 Unable to build data connection: Connection refused. Error: Failed to retrieve directory listing. Last edited by bsd_matt; 12th December 2013 at 07:24 PM. Reason: added client information && FileZilla error. |
|
||||
If I understood your environment, you have an FTP server on your LAN that you would like to expose to the Internet at address 50.x.x.x. It's internal address is 192.168.0.101.
If that is correct, I recommend the following:
Code:
anchor "ftp-proxy/*" pass in on $ext_if proto tcp to 50.x.x.x port 21 pass out on $int_if proto tcp to 192.168.0.101 port 21 user proxy Redirection via divert-to is needed to support clients behind the firewall, not the servers. |
Tags |
ftp ftp-proxy pf |
Thread Tools | |
Display Modes | |
|
|