|
FreeBSD Security Securing FreeBSD. |
|
Thread Tools | Display Modes |
|
|||
PF FTP to outside 425 Can't build data connection: illegal port number
I have 1 firewall PF and 2 servers behind the FreeBSD firewall.
Everyting is working great for years. But I wanted to make backups to a home computer with FTP (plesk server). Problem: making a connection from behind the firewall to my home server. Here is the configuration ftp-proxy is started. From outside to FTP server works great. 1 server not behind the firewall can backup to my home location with no problems. I get as error from curl: Code:
< 257 "/tank4t/backup" is current directory. * Entry path is '/tank4t/backup' > CWD plesk01 * ftp_perform ends with SECONDARY: 0 < 250 CWD command successful. > EPSV * Connect data stream passively < 229 Entering Extended Passive Mode (|||50516|) * Trying xx.xx.x.118... * Connecting to xx.xx.x.118 (xx.xx.x.118) port 50516 * Connected to home.rayit.com (xx.xx.9x.118) port 21 (#0) > TYPE A < 200 Type set to A. > LIST < 425 Can't build data connection: illegal port number * RETR response: 425 * Remembering we are in dir "plesk01/" * Connection #0 to host home.xxxx.com left intact curl: (19) RETR response: 425 Code:
... plesk_services = "{ 8443, www, https, imaps, pop3s, 53, 5224, 6489, 8447, 993, 587, 465, 25, 20, 21, 49152:65535, 715 }" # ping requestS icmp_types = "echoreq" # Private networks, we are going to block incoming traffic from them priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" ### options set block-policy drop set loginterface $ext_if set skip on lo0 ### Scrub # From the PF user's guide (http://www.openbsd.org/faq/pf/index.html): # "Scrubbing" is the normalization of packets so there are no ambiguities in # interpretation by the ultimate destination of the packet. The scrub directive # also reassembles fragmented packets, protecting some operating systems from # some forms of attack, and # drops TCP packets that have invalid flag # combinations. scrub in all ### nat/rdr # NAT traffic from internal network to external network through external # interface ### ftp proxy nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass proto tcp from any to $int_if port ftp -> 127.0.0.1 port 8021 nat on $ext_if from $plesk03_int to any port {25} -> $plesk03_ext nat on $ext_if from $plesk01_int to any port {25} -> $plesk01_ext nat on $ext_if from $plesk01_int to any port {587} -> $plesk01_ext nat on $ext_if from $int_if:network to any -> ($ext_if) rdr pass on $ext_if inet proto tcp from any to $plesk01_ext port $plesk_services -> $plesk01_int rdr pass on $ext_if inet proto tcp from any to $plesk03_ext port $plesk_services -> $plesk03_int ################ Filtering ################################# ### filter rules block log all ### fail2ban table <fail2ban> persist block in quick from <fail2ban> ### spamd table <soamd-white> persist # FTP pass in on $int_if proto tcp from any to any port 21 flags S/SA synproxy state pass in on $int_if proto tcp from any to any port > 49151 keep state # block incoming traffic from private networks on external interface block drop in quick on $ext_if from $priv_nets to any # block outgoing traffic to private networks on external interface block drop out quick on $ext_if from any to $priv_nets # FTP pass out proto tcp from any to any port ftp pass in on $int_if inet proto tcp to port 21 divert-to 127.0.0.1 port 8021 anchor "ftp-proxy/*" # allow access to tcp_services on external interface pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state # allow in ping replies pass in inet proto icmp all icmp-type $icmp_types keep state # allow all traffic from internal network to internal interface pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out keep state # allow all traffic out via external interface pass out on $ext_if proto tcp all keep state pass out proto tcp from self to any keep state pass out on $ext_if proto { udp, icmp } all keep state pass out on $int_if proto tcp all keep state ### end pf.conf But than the clients from outside can not connect anymore. Would be great if somebody can point me in the good direction.. Many thanks! Raymond |
Tags |
ftp, passive, pf |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Unable to build glib2 port on sparc64 | sparky | OpenBSD Packages and Ports | 9 | 22nd August 2012 12:48 PM |
Is is safe to build more than a port at a time ? | daemonfowl | OpenBSD Packages and Ports | 3 | 7th April 2012 12:20 AM |
The right way to build an OpenBSD port with debug symbols | WeakSauceIII | OpenBSD Packages and Ports | 7 | 20th April 2009 12:40 PM |
test port connection | carpman | FreeBSD Security | 5 | 9th February 2009 11:12 AM |
Port Build without having to de-overclock p4 (YMMV) | jb_daefo | Guides | 0 | 29th September 2008 10:29 AM |