DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 17th April 2021
rayit rayit is offline
New User
 
Join Date: Apr 2021
Posts: 2
Default PF FTP to outside 425 Can't build data connection: illegal port number

I have 1 firewall PF and 2 servers behind the FreeBSD firewall.

Everyting is working great for years.
But I wanted to make backups to a home computer with FTP (plesk server).

Problem: making a connection from behind the firewall to my home server.

Here is the configuration
ftp-proxy is started.
From outside to FTP server works great.
1 server not behind the firewall can backup to my home location with no problems.

I get as error from curl:
Code:
< 257 "/tank4t/backup" is current directory.
* Entry path is '/tank4t/backup'
> CWD plesk01
* ftp_perform ends with SECONDARY: 0
< 250 CWD command successful.
> EPSV
* Connect data stream passively
< 229 Entering Extended Passive Mode (|||50516|)
*   Trying xx.xx.x.118...
* Connecting to xx.xx.x.118 (xx.xx.x.118) port 50516
* Connected to home.rayit.com (xx.xx.9x.118) port 21 (#0)
> TYPE A
< 200 Type set to A.
> LIST
< 425 Can't build data connection: illegal port number
* RETR response: 425
* Remembering we are in dir "plesk01/"
* Connection #0 to host home.xxxx.com left intact
curl: (19) RETR response: 425
PF config
Code:
...
plesk_services = "{ 8443, www, https, imaps, pop3s, 53, 5224, 6489, 8447, 993, 587, 465, 25, 20, 21, 49152:65535, 715 }"

# ping requestS
icmp_types = "echoreq"

# Private networks, we are going to block incoming traffic from them
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

### options
set block-policy drop
set loginterface $ext_if
set skip on lo0

### Scrub
# From the PF user's guide (http://www.openbsd.org/faq/pf/index.html):
# "Scrubbing" is the normalization of packets so there are no ambiguities in
# interpretation by the ultimate destination of the packet. The scrub directive
# also reassembles fragmented packets, protecting some operating systems from
# some forms of attack, and # drops TCP packets that have invalid flag
# combinations.
scrub in all

### nat/rdr
# NAT traffic from internal network to external network through external
# interface
### ftp proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to $int_if port ftp -> 127.0.0.1 port 8021

nat on $ext_if from $plesk03_int to any port {25} -> $plesk03_ext
nat on $ext_if from $plesk01_int to any port {25} -> $plesk01_ext
nat on $ext_if from $plesk01_int to any port {587} -> $plesk01_ext
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr pass on $ext_if inet proto tcp from any to $plesk01_ext port $plesk_services -> $plesk01_int
rdr pass on $ext_if inet proto tcp from any to $plesk03_ext port $plesk_services -> $plesk03_int

################ Filtering #################################
### filter rules
block log all

### fail2ban
table <fail2ban> persist
block in quick from <fail2ban>

### spamd
table <soamd-white> persist

# FTP
pass in on $int_if proto tcp from any to any  port 21 flags S/SA synproxy state
pass in on $int_if proto tcp from any to any port > 49151 keep state

# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any

# block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets

# FTP
pass out proto tcp from any to any port ftp
pass in on $int_if inet proto tcp to port 21 divert-to 127.0.0.1 port 8021
anchor "ftp-proxy/*"

# allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

# allow in ping replies
pass in inet proto icmp all icmp-type $icmp_types keep state

# allow all traffic from internal network to internal interface
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out keep state

# allow all traffic out via external interface
pass out on $ext_if proto tcp all keep state
pass out proto tcp from self to any keep state
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $int_if proto tcp all keep state

### end pf.conf
I read a lot and tried several things when I use any to any it works
But than the clients from outside can not connect anymore.

Would be great if somebody can point me in the good direction..
Many thanks!

Raymond
Reply With Quote
 

Tags
ftp, passive, pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to build glib2 port on sparc64 sparky OpenBSD Packages and Ports 9 22nd August 2012 12:48 PM
Is is safe to build more than a port at a time ? daemonfowl OpenBSD Packages and Ports 3 7th April 2012 12:20 AM
The right way to build an OpenBSD port with debug symbols WeakSauceIII OpenBSD Packages and Ports 7 20th April 2009 12:40 PM
test port connection carpman FreeBSD Security 5 9th February 2009 11:12 AM
Port Build without having to de-overclock p4 (YMMV) jb_daefo Guides 0 29th September 2008 10:29 AM


All times are GMT. The time now is 09:05 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick