DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th August 2008
ijk ijk is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 47
Default pf allow ftp access

Trying to configure ftp access to be able to down the bsd port collection.
Code:
# Allow acces to ftp
pass out on $if proto tcp from $if to any port { 21 , 20 }
the above does not work what am I missing

thanks
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5
Reply With Quote
  #2   (View Single Post)  
Old 11th August 2008
s0xxx's Avatar
s0xxx s0xxx is offline
Package Pilot
 
Join Date: May 2008
Posts: 192
Default

You will have to post your complete pf.conf in order to see other rules and what $if represents. Give more info to get more info!
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD
Reply With Quote
  #3   (View Single Post)  
Old 11th August 2008
ijk ijk is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 47
Default the full rule set

Code:
# Macros: define common values, so they can be referenced and changed easily.
ext_if="rl0"
tcp_services = "{ domain, www, https, 10000 }"
udp_services = "{ domain }"
brute_block = "{ ssh, 10000 }"

# Tables
table <sshadmins> persist file "/etc/sshallow"
table <bruteforce> persist file "/etc/brufeforce"


# Set Optimizations:
set loginterface $ext_if

set skip on lo0

# Normalization / scrubbing
scrub in all

antispoof quick for { lo0 $ext_if }

block all
block quick from <bruteforce>

pass proto udp to any port $udp_services
pass proto tcp from any to self port $tcp_services
pass in on $ext_if inet proto icmp all icmp-type 8
# Allow access to sshd. 
pass in on $ext_if proto tcp from <sshadmins> to self port ssh

# Allow acces to ftp
pass out on $ext_if proto tcp from $if to any port { 21 , 20 }

# brute force blocking
pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5

Last edited by ijk; 11th August 2008 at 09:49 PM.
Reply With Quote
  #4   (View Single Post)  
Old 11th August 2008
chris chris is offline
Port Guard
 
Join Date: May 2008
Location: United Kingdom
Posts: 35
Default

shouldn't $if be $ext_if?
Reply With Quote
  #5   (View Single Post)  
Old 11th August 2008
ephemera's Avatar
ephemera ephemera is offline
Knuth's homeboy
 
Join Date: Apr 2008
Posts: 537
Default

it looks like (i dont know pf just guessing from the syntax) your ruleset doesn't allow ftp.
there are two ways of transfer: active and passive.
for active transfers you will need to allow the ftp server to connect (active open) from server port 20.
for pasv tx you should allow the client to do an active open on an ephemeral port on the server. you can maybe add the following rule at the end to allow pasv tx:

pass out proto tcp from self to any keep state
Reply With Quote
  #6   (View Single Post)  
Old 11th August 2008
ijk ijk is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 47
Default

it is already $ext_if my typing error.
Code:
pass out on $ext_if proto tcp from $ext_if to any port { 21 , 20 }
yes have been reading about active and passive ftp. but the rules i need are still problematic

I am already letting out traffic with the above rule. Why do i need to let out all traffic from any port with the below rule. is not this insecure.

Code:
pass out proto tcp from self to any keep state
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5
Reply With Quote
  #7   (View Single Post)  
Old 11th August 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Passive ftp uses two connections
Code:
  • ftp command channel client: client_ip:port>1023 --> server_ip:port_21 server: server_ip:port_21 --> client_ip:port>1023
  • data channel client: client_ip:port>1023 --> server_ip:port>1023 server: server_ip:port>1023 --> client_ip:port>1023
So the second rule
Code:
pass out proto tcp from self to any keep state
will allow the ftp command channel.

Because most people find a rule like this rather permissive (it allows for example MSN connections), a proxy is needed.

See ftp-proxy(8) for the details.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 12th August 2008
ephemera's Avatar
ephemera ephemera is offline
Knuth's homeboy
 
Join Date: Apr 2008
Posts: 537
Default

Quote:
Originally Posted by ijk View Post
Code:
pass out on $ext_if proto tcp from $ext_if to any port { 21 , 20 }
yes have been reading about active and passive ftp. but the rules i need are still problematic

I am already letting out traffic with the above rule. Why do i need to let out all traffic from any port with the below rule. is not this insecure.
pass out proto tcp from self to any keep state

for pasv ftp tx the above rule will allow your ftp client to establish a data connection to the ftp server on an ephemeral port (> 1023) on the server.
anyway, ftp-proxy maybe a better option.
Reply With Quote
  #9   (View Single Post)  
Old 13th August 2008
jleal jleal is offline
Real Name: Chuy
Port Guard
 
Join Date: May 2008
Location: Boca del Rio
Posts: 11
Default ftp-proxy

you should use ftp proxy do this:

/etc/rc.conf
Append following line:
ftpproxy_enable="YES"

Open your /etc/pf.conf file and add following into your NAT section:
To activate it, put something like this in the NAT section of pf.conf:
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
All three rules required, even if your setup does not use NAT. Find your filtering rule and append the following rules:
anchor "ftp-proxy/*"


use this link also

http://www.cyberciti.biz/faq/freebsd...configuration/

good look!!!
Reply With Quote
Old 25th August 2008
jleal jleal is offline
Real Name: Chuy
Port Guard
 
Join Date: May 2008
Location: Boca del Rio
Posts: 11
Default no problem!

No problem also you may want to check , ftpproxy_flags="" in rc.conf

you are welcome!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DVD access zazen OpenBSD General 11 4th June 2009 03:28 PM
ssh access carpman FreeBSD Security 8 19th February 2009 12:26 PM
Securing ftp access AlexDudko FreeBSD Security 6 12th January 2009 09:21 PM
ssh/external access jwhal OpenBSD General 11 21st May 2008 07:19 PM
CD Access in KDE Scott FreeBSD General 10 13th May 2008 05:48 AM


All times are GMT. The time now is 06:22 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick