|
FreeBSD Security Securing FreeBSD. |
|
Thread Tools | Display Modes |
|
|
|||
PF FTP to outside 425 Can't build data connection: illegal port number
I have 1 firewall PF and 2 servers behind the FreeBSD firewall.
Everyting is working great for years. But I wanted to make backups to a home computer with FTP (plesk server). Problem: making a connection from behind the firewall to my home server. Here is the configuration ftp-proxy is started. From outside to FTP server works great. 1 server not behind the firewall can backup to my home location with no problems. I get as error from curl: Code:
< 257 "/tank4t/backup" is current directory. * Entry path is '/tank4t/backup' > CWD plesk01 * ftp_perform ends with SECONDARY: 0 < 250 CWD command successful. > EPSV * Connect data stream passively < 229 Entering Extended Passive Mode (|||50516|) * Trying xx.xx.x.118... * Connecting to xx.xx.x.118 (xx.xx.x.118) port 50516 * Connected to home.rayit.com (xx.xx.9x.118) port 21 (#0) > TYPE A < 200 Type set to A. > LIST < 425 Can't build data connection: illegal port number * RETR response: 425 * Remembering we are in dir "plesk01/" * Connection #0 to host home.xxxx.com left intact curl: (19) RETR response: 425 Code:
... plesk_services = "{ 8443, www, https, imaps, pop3s, 53, 5224, 6489, 8447, 993, 587, 465, 25, 20, 21, 49152:65535, 715 }" # ping requestS icmp_types = "echoreq" # Private networks, we are going to block incoming traffic from them priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" ### options set block-policy drop set loginterface $ext_if set skip on lo0 ### Scrub # From the PF user's guide (http://www.openbsd.org/faq/pf/index.html): # "Scrubbing" is the normalization of packets so there are no ambiguities in # interpretation by the ultimate destination of the packet. The scrub directive # also reassembles fragmented packets, protecting some operating systems from # some forms of attack, and # drops TCP packets that have invalid flag # combinations. scrub in all ### nat/rdr # NAT traffic from internal network to external network through external # interface ### ftp proxy nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass proto tcp from any to $int_if port ftp -> 127.0.0.1 port 8021 nat on $ext_if from $plesk03_int to any port {25} -> $plesk03_ext nat on $ext_if from $plesk01_int to any port {25} -> $plesk01_ext nat on $ext_if from $plesk01_int to any port {587} -> $plesk01_ext nat on $ext_if from $int_if:network to any -> ($ext_if) rdr pass on $ext_if inet proto tcp from any to $plesk01_ext port $plesk_services -> $plesk01_int rdr pass on $ext_if inet proto tcp from any to $plesk03_ext port $plesk_services -> $plesk03_int ################ Filtering ################################# ### filter rules block log all ### fail2ban table <fail2ban> persist block in quick from <fail2ban> ### spamd table <soamd-white> persist # FTP pass in on $int_if proto tcp from any to any port 21 flags S/SA synproxy state pass in on $int_if proto tcp from any to any port > 49151 keep state # block incoming traffic from private networks on external interface block drop in quick on $ext_if from $priv_nets to any # block outgoing traffic to private networks on external interface block drop out quick on $ext_if from any to $priv_nets # FTP pass out proto tcp from any to any port ftp pass in on $int_if inet proto tcp to port 21 divert-to 127.0.0.1 port 8021 anchor "ftp-proxy/*" # allow access to tcp_services on external interface pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state # allow in ping replies pass in inet proto icmp all icmp-type $icmp_types keep state # allow all traffic from internal network to internal interface pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out keep state # allow all traffic out via external interface pass out on $ext_if proto tcp all keep state pass out proto tcp from self to any keep state pass out on $ext_if proto { udp, icmp } all keep state pass out on $int_if proto tcp all keep state ### end pf.conf But than the clients from outside can not connect anymore. Would be great if somebody can point me in the good direction.. Many thanks! Raymond |
|
|||
The problem with ftp is that it sets up and tears down a new TCP connection, using different ports, each time DATA is being transferred.
Quote:
IMHO for backing up, setting up rsync(1), where you only have to deal with one single TCP connection, would be the better alternative. Or scp(1)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 18th April 2021 at 02:58 AM. |
|
|||
Many thanks for thinking with me..
I would love to use rsync or scp but Plesk works with FTP and clients can restore their backups manually and can browse them. As it seems now the backup works but is not browsable. many thanks RayIT |
|
|||
I had the impression that your issue was not very regular and only concerned you, hence my advice.
Please note that the following is on OpenBSD. FreeBSD uses an older version of pf and ftp-proxy. To help in debugging and visualizing what is exactly going on you can do several things: You can start ftp-proxy with the not-daemonize option -d to stay in the foreground and log to stderr. With the highest debugging level -D7 you get output like: Code:
#1 client: CWD snapshots\r\n #1 server: 250 Directory successfully changed.\r\n #1 client: CWD amd64\r\n #1 server: 250 Directory successfully changed.\r\n #1 client: TYPE I\r\n #1 server: 200 Switching to Binary mode.\r\n #1 client: SIZE bsd.rd\r\n #1 server: 213 4205697\r\n #1 client: EPSV\r\n #1 server: 229 Entering Extended Passive Mode (|||51575|).\r\n #1 passive: client to server port 51575 via port 61751 #1 proxy: 229 Entering Extended Passive Mode (|||61751|)\r\n #1 client: RETR bsd.rd\r\n #1 server: 150 Opening BINARY mode data connection for bsd.rd (4205697 bytes).\r\n #1 server: 226 Transfer complete.\r\n #1 client: MDTM bsd.rd\r\n Code:
root@alix[~]/usr/sbin/ftp-proxy -T FTP_DATA -d -D6 listening on 127.0.0.1 port 8021 #1 FTP session 1/100 started: client 192.168.222.242 to server 213.136.12.213 via proxy 192.168.2.3 #1 passive: client to server port 64749 via port 53235 #1 passive: client to server port 36316 via port 51977 #1 passive: client to server port 55342 via port 55731 #1 server close #1 ending session Code:
#!/bin/sh LOG=/var/log/anchor-log #exec >${LOG} 2>&1 exec >>${LOG} 2>&1 if [ "x$1" = "x" ] ; then PAUSE=3 else PAUSE=$1 fi while true ; do date pfctl -a 'ftp-proxy/*' -vvsr sleep $PAUSE done # ---- # tail -f /var/log/anchor-log in another xterm.Code:
Sun Apr 18 22:55:39 CEST 2021 anchor "30846.1" all { @0 match in on rdomain 0 inet proto tcp from 192.168.222.242 to 213.136.12.213 port = 60225 flags S/SA keep state (max 1) tag FTP_DATA rtable 0 rdr-to 213.136.12.213 port 59339 [ Evaluations: 33 Packets: 5203 Bytes: 5349616 States: 0 ] [ Inserted: uid 109 pid 30846 State Creations: 0 ] @1 match out on rdomain 0 inet proto tcp from 192.168.222.242 to 213.136.12.213 port = 59339 flags S/SA keep state (max 1) tag FTP_DATA nat-to 192.168.2.3 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 109 pid 30846 State Creations: 0 ] } BTW On home networks that have an externally ftp server in a DMZ, people run two instances of ftp-proxy (each on a separate port), one for the external clients connecting to the DMZ server. The other one is for local home network users to use ftp servers on the internet. That makes it easier to manage and create rules. Not sure if that would be helpful in your case.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Tags |
ftp, passive, pf |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Unable to build glib2 port on sparc64 | sparky | OpenBSD Packages and Ports | 9 | 22nd August 2012 12:48 PM |
Is is safe to build more than a port at a time ? | daemonfowl | OpenBSD Packages and Ports | 3 | 7th April 2012 12:20 AM |
The right way to build an OpenBSD port with debug symbols | WeakSauceIII | OpenBSD Packages and Ports | 7 | 20th April 2009 12:40 PM |
test port connection | carpman | FreeBSD Security | 5 | 9th February 2009 11:12 AM |
Port Build without having to de-overclock p4 (YMMV) | jb_daefo | Guides | 0 | 29th September 2008 10:29 AM |