DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Installation and Upgrading

OpenBSD Installation and Upgrading Installing and upgrading OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th February 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 24
Thanked 0 Times in 0 Posts
Default ftp proxy and pf.conf rules (From The Book of PF, 2nd Ed)

I am updating my primary firewall to 5.0 and taking the opportunity to clean up my ruleset a little at the same time.

I am using The Book of PF 2nd Edition as a guide to setting up the ftp proxy.

The book says I'll only need three things in my pf.conf to make the proxy work (after enabling ftpproxy_flags in rc.conf.local):

The anchor line - anchor "ftp-proxy/*"
A pass in rule - pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
A pass out rule - pass out proto tcp from $proxy to any port ftp

I originally had more restrictive pass rules in place, but pfctl wouldn't load the ruleset because it said the "proxy" macro wasn't defined so I entered the lines as written but get the same warning.

Am I supposed to substitute something for $proxy in my rules, or is that pass-out implicit in the proxy?

Thanks
kmb
Reply With Quote
  #2   (View Single Post)  
Old 15th February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,645
Thanked 214 Times in 189 Posts
Default

You have missed a critical document, the OpenBSD Upgrade Guide 5.0. I'm going to quote from it:
Quote:
PF changes requiring changes to your pf.conf rules

ftp-proxy(8) and tftp-proxy(8) have changed: They now use divert-to instead of rdr-to, which improves performance. Old rules like these:
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on internal proto udp to port tftp rdr-to 127.0.0.1 port 6969
should be replaced with:
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass in quick on internal inet proto udp to port tftp divert-to 127.0.0.1 port 6969
Note that with divert-to, the address family (in this example inet) must be specified explicitly.
Reply With Quote
  #3   (View Single Post)  
Old 16th February 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 24
Thanked 0 Times in 0 Posts
Default

Thanks for that.

I've updated my ruleset to use divert-to and specify inet, so there don't seem to be any errors there. I'm still not sure about that pass out rule - I'll be rereading the ftp and ftp-proxy man pages and doing some more testing.

Postscript: The link to the upgrade guides is very appreciated. I don't know if I had ever seen them before.

kmb
Reply With Quote
  #4   (View Single Post)  
Old 16th February 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,645
Thanked 214 Times in 189 Posts
Default

Quote:
I don't know if I had ever seen them before.
You should take the time to review each upgrade guide for any prior upgrades you've performed. In 2008, you had a thread related to a 4.2->4.3 upgrade issue, and in it mentioned a 4.2 base install. If this is the same system, please review the upgrade guides from 4.3 onward to ensure you have implemented all recommended manual changes. You may be running with out-of-date configuration files, at the very least.

With 4.4, the sysmerge(8) command became available, allowing automatic or semi-automatic updates to files in /etc and /var during upgrades. Prior to 4.4, such as with 4.3, sysutils/mergemaster was available.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
The Book of PF anomie Book reviews 8 19th December 2012 03:10 PM
Address book fossala Programming 6 5th July 2011 05:26 PM
Rules for the Book reviews forum. Carpetsmoker Book reviews 0 1st October 2008 06:15 PM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
Book reviews? ocicat Feedback and Suggestions 8 2nd May 2008 04:34 AM


All times are GMT. The time now is 01:07 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick