DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th December 2013
bsd_matt bsd_matt is offline
Port Guard
 
Join Date: Oct 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default Ftp & pf

Now that I have almost everything working I am left with my final hurdle; FTP.

My ftp sessions freeze up after issuing the 'LIST' command, until the session times-out.

FTP-Proxy command:
ftp-proxy -p 8021 -R 192.168.0.101 -P 21 -D7 -v -d -a 50.x.x.x

Results:
#8 accepted connection from 72.38.43.86
#8 FTP session 1/100 started: client 72.38.43.86 to server 192.168.0.101 via proxy 50.x.x.x
#8 server: 220 ProFTPD 1.3.5rc3 Server (Debian) [50.115.176.101]\r\n
#8 client: USER bsd_matt\r\n
#8 server: 331 Password required for bsd_matt\r\n
#8 client: PASS password\r\n
#8 server: 230 User bsd_matt logged in\r\n
#8 client: SYST\r\n
#8 server: 215 UNIX Type: L8\r\n
#8 client: PWD\r\n
#8 server: 257 "/" is the current directory\r\n
#8 client: PASV\r\n
#8 server: 227 Entering Passive Mode (50,x.x.x,127,143).\r\n
#8 passive: client to server port 32655 via port 54291
#8 proxy: 227 Entering Passive Mode (127,0,0,1,212,19)\r\n
#8 client: LIST\r\n
#8 client: ABOR\r\n
************************************************** ***********
pf.conf:

# The name of your virtual internal NIC group
ext_if = "em0"
int_if = "em2"

testbench_pub_ip = "50.x.x.x"
testbench = "192.168.0.101"

icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types

set block-policy drop
set loginterface egress
set loginterface em0
set loginterface em2
set limit { states 1000000, src-nodes 100000, tables 1000000, table-entries 1000000 }
set skip on { lo0, $int_if }
match in log all scrub (no-df)
# NAT
match out log on egress inet from !(egress:network) to any nat-to (egress:0)
block in quick inet6 all
block out quick inet6 all
block in log all
pass out log inet keep state
pass in log on { $int_if }


match out on $ext_if inet from $int_if nat-to ($ext_if)

anchor "ftp-proxy/*"
pass in log on $ext_if inet proto tcp to $testbench_pub_ip port ftp flags S/SAFR modulate state rdr-to 127.0.0.1 port 8021

pass out log on $int_if inet proto tcp to $testbench port 21 user proxy

************************************************** *
Reply With Quote
  #2   (View Single Post)  
Old 12th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,609
Thanked 214 Times in 189 Posts
Default

I note you are using rdr-to with ftp-proxy. At OpenBSD 5.0, this was changed to divert-to.

So far, you have not yet mentioned what release of the OS you're running. If you are running 5.0 or newer, please use divert-to, and see if that solves your issue.
Reply With Quote
  #3   (View Single Post)  
Old 12th December 2013
bsd_matt bsd_matt is offline
Port Guard
 
Join Date: Oct 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

Running OBSD v5.4
The divert-to change didn't help.

After running:
09:36:34 root@tng # pfctl -vv -a ftp-proxy/19725.7 -sr

@0 pass in log quick on rdomain 0 inet proto tcp from 72.38.43.86 to 50.x.x.x port = 57241 flags S/SA keep state (max 1) rtable 0 rdr-to 192.168.0.101 port 31705
[ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 71 pid 19725 State Creations: 0 ]
@1 pass out log quick on rdomain 0 inet proto tcp from 72.38.43.86 to 192.168.0.101 port = 31705 flags S/SA keep state (max 1) nat-to 50.x.x.x

my ftp server (proftpd) is setup as follows:
Masquerading address: 50.x.x.x
Passive Ports: 30000:35000

Last edited by bsd_matt; 12th December 2013 at 02:49 PM.
Reply With Quote
  #4   (View Single Post)  
Old 12th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,609
Thanked 214 Times in 189 Posts
Default

I think I see another issue - you are using -a rather than -b with ftp-proxy. No state is established, according to your pfctl output, and this could be the reason.

Please review the Issues with FTP chapter of the PF User's guide, in particular, the section FTP Server Protected by an External PF Firewall Running NAT for recommended ftp-proxy flags and recommended filter rules, which you are not using.
Reply With Quote
  #5   (View Single Post)  
Old 12th December 2013
bsd_matt bsd_matt is offline
Port Guard
 
Join Date: Oct 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

PF.conf:

ext_ip = "50.115.x.x"
ftp_ip = "192.168.0.101"
match out on $ext_if inet from $int_if nat-to ($ext_if)
anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp to $ext_ip port { ftp, ftp-data } divert-to 127.0.0.1 port 8022
pass out on $int_if inet proto tcp to $ftp_ip port { ftp, ftp-data } user proxy
================================================== =====
ftp-proxy:
ftp-proxy -d -D7 -v -p 8022 -R 192.168.0.101 -P 21

This results in the same situation.
As soon as I get this working I have 10 other ftp servers I need to allow through. An old OBSD v4.8 box currently works with these settings:

old pf.conf:

pass in log on $ext_if proto { tcp, udp } from any to 38.x.x.x port { ftp ftp-data } rdr-to $upload_ip
.
.
pass in log on $ext_if inet proto tcp from any to $server_1 port ftp flags S/SAFR modulate state rdr-to 127.0.0.1 port 8022
pass in log on $ext_if inet proto tcp from any to $upload_ip port ftp flags S/SAFR modulate state rdr-to 127.0.0.1 port 8023
pass in log on $ext_if inet proto tcp from any to $server_2 port ftp flags S/SAFR modulate state rdr-to 127.0.0.1 port 8024

and ftp-proxy:
/usr/sbin/ftp-proxy -p 8022 -R 192.168.0.226 -P 21
/usr/sbin/ftp-proxy -p 8023 -R 192.168.0.152 -P 21
/usr/sbin/ftp-proxy -p 8024 -R 192.168.0.111 -P 21
############################
What I fail to understand is how/why the old gateway works fine but the new settings do not.

Last edited by bsd_matt; 12th December 2013 at 04:18 PM.
Reply With Quote
  #6   (View Single Post)  
Old 12th December 2013
bsd_matt bsd_matt is offline
Port Guard
 
Join Date: Oct 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default

Interesting development;

I can replicate the results (of it not working) with these lines in my pf.conf:

pass in on $ext_if proto tcp to $testbench_pub_ip port 21 rdr-to $testbench
pass in on $ext_if proto tcp to $testbench_pub_ip port 30000:35000

So what does that tell me? Perhaps ftp-proxy isn't working as it should?
Reply With Quote
  #7   (View Single Post)  
Old 12th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,609
Thanked 214 Times in 189 Posts
Default

Your new rules do not use the -b option of ftp-proxy, as the PF User's Guide recommended. It is my guess that you will want this set to your external 50.x.x.x
Code:
 -b address
             Address where the proxy will listen for redirected control
             connections.  The default is 127.0.0.1, or ::1 in IPv6 mode.
The guide states (highlight mine):
Quote:
Edit /etc/rc.conf.local and add the following:

ftpproxy_flags="-R 10.10.10.1 -p 21 -b 192.168.0.1"

Here 10.10.10.1 is the IP address of the actual FTP server, 21 is the port we want ftp-proxy(8) to listen on, and 192.168.0.1 is the address on the firewall that we want the proxy to bind to.
You asked:
Quote:
What I fail to understand is how/why the old gateway works fine but the new settings do not.
Your older system was OpenBSD 4.7. As I mentioned above, at 5.0 ftp-proxy changed. Both your use of the proxy and PF rules should have been revisited, and I'm sorry you mised it. Here's a link to the section from the 5.0 Upgrade Guide that describes the change, which I have excerpted below for your convenience.
Quote:
PF changes requiring changes to your pf.conf rules

ftp-proxy(8) and tftp-proxy(8) have changed: They now use divert-to instead of rdr-to, which improves performance. Old rules like these:

pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on internal proto udp to port tftp rdr-to 127.0.0.1 port 6969

should be replaced with:

pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass in quick on internal inet proto udp to port tftp divert-to 127.0.0.1 port 6969

Note that with divert-to, the address family (in this example inet) must be specified explicitly.

Last edited by jggimi; 12th December 2013 at 05:03 PM. Reason: typo
Reply With Quote
  #8   (View Single Post)  
Old 12th December 2013
bsd_matt bsd_matt is offline
Port Guard
 
Join Date: Oct 2013
Posts: 12
Thanked 0 Times in 0 Posts
Default Thank-you....

Your reply was very welcome. And it actually cleared up a few questions that I had. Thank-you.

I have removed the -b option so now the ftp-proxy command looks like this:

ftp-proxy -d -D7 -v -p 8022 -R 192.168.0.101 -P 21 -r

While I stated that [begin whine mode] I don't understand why this isn't working [/end whine mode], I actually do understand that the syntax and commands have changed. I know that the old rule-set won't work as a copy/paste. I was just trying to express some frustration, and I am sorry that i took it out on you.

As best I can tell the communication between server & client is failing after the client logs in, and the server tries switching to a new port (PASV mode).

[code]
#4 client: PASV\r\n
#4 server: 227 Entering Passive Mode (50,115,176,101,126,164).\r\n
#4 passive: client to server port 32420 via port 50220
#4 proxy: 227 Entering Passive Mode (50,115,176,101,196,44)\r\n
#4 client: LIST\r\n
[\code]


Is it possible that the client isn't getting this data? Am I missing a " pass out ALL" style statement in my pf.conf?

In the client I see this message :
227 Entering Passive Mode (50, 115,176,101,214,39)
LIST

So the client is getting the information, and trying to connect, but the firewall isn't allowing the new connection.

Update:
While using FileZilla I get a new error that I haven't seen before.
Command: PWD
Response: 257 "/" is the current directory
Command: PORT 192,168,1,125,127,38
Response: 200 PORT command successful
Command: MLSD
Response: 425 Unable to build data connection: Connection refused.
Error: Failed to retrieve directory listing.

Last edited by bsd_matt; 12th December 2013 at 07:24 PM. Reason: added client information && FileZilla error.
Reply With Quote
  #9   (View Single Post)  
Old 14th December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,609
Thanked 214 Times in 189 Posts
Default

If I understood your environment, you have an FTP server on your LAN that you would like to expose to the Internet at address 50.x.x.x. It's internal address is 192.168.0.101.

If that is correct, I recommend the following:
  • On your 192.168.0.101 platform, configure your FTP server to accept standard passive FTP traffic. The server should listen on TCP port 21.
  • On your firewall, configure your ftp-proxy server with the following flags: "-R 192.168.0.101 -p 21 -b 50.x.x.x"
    • The -R option sets the proxy in reverse mode, to support a server through NAT rather than clients. The address listed is the address of the server on your private LAN.
    • The -p option instructs the ftp-proxy to listen on port 21, as it will act as the FTP server to clients on the Internet.
    • The -b option instructs the proxy to listen to this external address. In my test, I selected one of the alias addresses I'd assigned to the firewall's Internet facing NIC.
  • No port redirection rules are needed in PF to support this traffic. The ftp-proxy application listens to an address on the external NIC port 21 and routes that traffic through to the FTP server's port 21.
  • The following rules are needed to pass this traffic:
Code:
anchor "ftp-proxy/*"
pass in on $ext_if proto tcp to 50.x.x.x port 21
pass out on $int_if proto tcp to 192.168.0.101 port 21 user proxy

Redirection via divert-to is needed to support clients behind the firewall, not the servers.
Reply With Quote
Reply

Tags
ftp ftp-proxy pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 06:03 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick