DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th May 2008
clinty clinty is offline
New User
 
Join Date: May 2008
Posts: 3
Thanked 0 Times in 0 Posts
Default pf and ftp-proxy

Hello.

I have a machine with a pf firewall. I want *this* machine (not a machine behind this firewall) could have ftp traffic out. I don't have an internal interface. Just an external interface (sk0). I followed the FAQ page of pf and manpage. But it does not work :-(

This is my pf.conf:

Code:
ext_if="sk0"

#table <spamd-white> persist

set skip on lo

#scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $ext_if proto tcp to port ftp -> 127.0.0.1 port 8021

anchor "ftp-proxy/*"
block in log
block out log

pass on $ext_if proto icmp
antispoof quick for { lo $ext_if }

pass in on $ext_if proto tcp to ($ext_if) port ssh
pass in on $ext_if proto tcp to ($ext_if) port smtp

pass out on $ext_if proto tcp from ($ext_if) to port ftp
pass out on $ext_if proto tcp from ($ext_if) to port smtp
pass out on $ext_if proto tcp from ($ext_if) to port domain
pass out on $ext_if proto udp from ($ext_if) to port domain
I have ftp-proxy launched:

Code:
2610 ??  Is      0:00.01 /usr/sbin/ftp-proxy -r
Unfortunaly, ftp traffic does not work. I have to have a default "pass out" in pf rules for it works.
Does I forgot something ?

Thanks for all helps.

Regards,
Reply With Quote
  #2   (View Single Post)  
Old 6th May 2008
hydra's Avatar
hydra hydra is offline
Port Guard
 
Join Date: May 2008
Location: Slovakia (Europe)
Posts: 41
Thanked 0 Times in 0 Posts
Default

If you want a dirty solution, use this one:

Code:
pass quick on $ext_if inet proto tcp from any port > 1023 to any port > 1023
pass in quick on $ext_if inet proto tcp from any port 20 to any port > 1023
I will study ftp-proxy and try to find a solution (don't know when).
Reply With Quote
  #3   (View Single Post)  
Old 6th May 2008
clinty clinty is offline
New User
 
Join Date: May 2008
Posts: 3
Thanked 0 Times in 0 Posts
Default

Hello hydrapolic.

If I try to use ftp-proxy, it's because I don't want to open a large ports intervals. I *think* I can use ftp-proxy with pf on this machine. I hope I'm true...

Regards,
Reply With Quote
  #4   (View Single Post)  
Old 6th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,249
Thanked 182 Times in 149 Posts
Default

ftp-proxy is written for a firewall box with two interfaces. It will not work with one interface.

To protect your box with one interface you could use a table containing the ftp servers you want to talk to. Then write some rules to allow out-going passive ftp to these servers.

You need two rules, one for the ftp command channel, and an other one for the ftp data channel.
  1. client source port >1023 -> server: port 21 (ftp command channel)
  2. client source port >1023 --> server port >1023 (ftp data channel)

I have done this one my workstation. Unfortunately I just moved house and I haven't unpacked that one yet, else I would posted the rules
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 7th May 2008
clinty clinty is offline
New User
 
Join Date: May 2008
Posts: 3
Thanked 0 Times in 0 Posts
Default

Hello J65nko.

There is no solutions to user ftp-proxy with one interface (with NAT, or aliases interfaces) ?
Else, I use your solution: I have an array, with authorized FTP servers, and I allow pass out for this.

Regards,
Reply With Quote
  #6   (View Single Post)  
Old 7th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,249
Thanked 182 Times in 149 Posts
Default

AFAIK there is no way you can use ftp-proxy with only one interface.

Even on a dual NIC box, ftp-proxy will only work for the LAN clients. It will not work on the ftp-proxy box itself.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp-proxy in openbsd brody OpenBSD General 2 20th October 2008 04:18 PM
FTP-Proxy cannot connect plexter OpenBSD Packages and Ports 6 11th October 2008 05:59 PM
Tunnel to Proxy PatrickBaer General software and network 2 11th August 2008 03:32 PM
proxy : replace gif with local gif milo974 OpenBSD General 4 17th July 2008 06:45 AM
ftp-proxy on transparent bridge mswall OpenBSD Security 4 7th July 2008 01:30 PM


All times are GMT. The time now is 04:53 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick