DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st July 2008
mswall mswall is offline
New User
 
Join Date: Jul 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default ftp-proxy on transparent bridge

I am a relatively inexperienced user. I have used ftp-proxy on a routing firewall and it seems to work quite well. I am trying to get the ftp-proxy working on a transparent bridge firewall but I am not having any luck, which I believe is related to the bridge. I have the following set up running on OpenBSD 4.2 PF

ext_if = rl0
int_if = rl1
The bridge is running on those two NIC's. I have a third NIC, rl2, that has been assigned an ip address. I can SSH to the firewall on that address.

I have the standard rules in the NAT section:

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

In the rule section, I have:

anchor "ftp-proxy/*"
pass out proto tcp from 127.0.0.1 to any port 21 keep flags S/SA keep state
pass out on ext_if proto tcp from any to any port 21 flags S/SA modulate state

What do I need to change to get this working with the bridge?
Reply With Quote
  #2   (View Single Post)  
Old 1st July 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

From the ftp-proxy man page
Code:
                               All connections from the client to
     the server have their source address rewritten so they appear to come
     from the proxy.  Consequently, all connections from the server to the
     proxy have their destination address rewritten, so they are redirected to
     the client.
For this to work ftp-proxy needs an IP addresses but a bridge doesn't have one
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 1st July 2008
mswall mswall is offline
New User
 
Join Date: Jul 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default ftp-proxy

since there is another NIC on the firewall that does have an ip address, is there something that can be done so that the proxy uses that address in its transactions?
Reply With Quote
  #4   (View Single Post)  
Old 2nd July 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

I would assume that that other NIC is on the internal network, so using it's address would be rather pointless, wouldn't it?
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #5   (View Single Post)  
Old 7th July 2008
peric0 peric0 is offline
New User
 
Join Date: Jun 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default

I solved the problem using ftpsesame, adding an IP address to the internal interface.

The rules are similar to those on your pf.conf but you have to redirect the ip of your internal interface.

Reply With Quote
Reply

Tags
bridge, ftp-proxy, transparent bridge

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Transparent bridge performance with PF northwoods FreeBSD General 3 30th January 2009 09:48 AM
PPPoE -> ADSL Router (Bridge) - Slow connect? DraconianTimes OpenBSD General 0 31st December 2008 01:07 PM
squid transparent questions toolbox FreeBSD Ports and Packages 0 20th December 2008 04:01 AM
Bridge VLAN + Catalyst espenfjo FreeBSD General 2 6th June 2008 05:16 PM
pf and ftp-proxy clinty OpenBSD Security 5 7th May 2008 10:36 PM


All times are GMT. The time now is 11:42 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick