|
Other BSD and UNIX/UNIX-like Any other flavour of BSD or UNIX that does not have a section of its own. |
|
Thread Tools | Display Modes |
|
|||
Access to multiple FTP Servers over PF
Hi,
First I wanted to say sorry for all the upcoming rudimentary questions. I'm very new to PF. I'm trying to figure out how to redirect traffic to multiple FTP servers. Setup: I have a device running QNX OS with two interfaces "en0" and "en1". en0 - external interface with a statically assigned IP address by the user [EXT IP]/[NETMASK] en1 - internal interface to communicate with the FTP servers over range, say, 155.155.2.0/24 Let, 155.155.2.1 - primary FTP server IP address 155.155.2.2 - secondary FTP server IP address I would like to command FTP servers through designated ports externally. e.g. To access the primary FTP server, the user should be able to use [EXT IP]:8021 and it'll be redirected to internal 155.155.2.1:21; likewise, [EXT IP]:8121 to 155.155.2.2:21 The tool available to me in QNX is "pf". I think redirecting COMMAND port is no problem and I think I have successfully done so with following rules in "pf.conf". Code:
ext_if="en0" int_if="en1" pri_ip="155.155.2.1" sec_ip="155.155.2.2" receiver_ips="{$pri_ip, $sec_ip}" protocols = "{tcp, udp}" set block-policy drop set loginterface $ext_if set skip on lo0 # Normalization scrub in all random-id fragment reassemble # Translate incoming packets' destination address to an internal machine nat on $int_if from $ext_if:network to any -> ($int_if) # Translate outgoing packets' source address (TCP protocol). # Primary FTP rdr on $ext_if proto tcp from any to $ext_if port 8021 -> $pri_ip port 21 # Secondary FTP rdr on $ext_if proto tcp from any to $ext_if port 8121 -> $sec_ip port 21 There is also the danger that FTP servers might accidentally select the same DATA port. Somehow, "pf" needs to redirect them to different ports presented on "en0" and communicate it to the clients. Thanks. Last edited by HalyconDays; 29th October 2021 at 03:50 PM. Reason: Mistake in pf.conf |
|
|||
If I understand you correctly you are trying to "proctect" your FTP servers with a QNX pf firewall?
With the OpenBSD ftp proxy you would have to use this proxy in reverse mode. On OpenBSD the range of data ports used by FTP data channel connections are these 'hiport"s: Code:
# sysctl -a | grep ip\.port net.inet.ip.portfirst=1024 net.inet.ip.portlast=49151 net.inet.ip.porthifirst=49152 net.inet.ip.porthilast=65535 The client then uses this destination port to connect to the ftp server (using a random source port). Because you don't have the proxy, your only way out, would be to allow all incoming traffic to the high ports range that your ftp servers use. If your users are on fixed IP addresses you could limit only these IPs to connect to the high ports range. The best solution would be to ditch the ftp servers and use "ftp over ssh" so you don't have to use this workaround. Or use https. That way you also get rid of the FTP server security issues. Remember the Solarwinds compromise with the Windows FTP server?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thank you for the reply.
I sort of simplified my setup a little bit. The real device is not something that is exposed to the Internet at large. I should clarify that what I meant was I have is a package of a single-board embedded computer (running QNX) interfaced internally to an array of sensors via Ethernet on PCB. Normally, a user can talk to and view the status/solution output of this package over an externally exposed Ethernet port. Normally, external (user) access to the internal sensors is unnecessary and discouraged. However, I ran into some issues where I need to pull logs from those internal sensors. What I used to do is bridge the two network interfaces on the embedded computer and pull the data directly from the sensors. But, this is a bit cumbersome. More to the point though, I cannot change the FTP setup on the sensors, unfortunately. From a high-level, I thought I can treat the whole setup like a QNX "firewall" "protecting" a couple of FTP servers, as an explanation for my setup. I have thought about opening all the high ports but I have no idea how or where to forward traffic if I have multiple FTP servers. Worst yet, when accessing both FTP servers at a time, what if both FTP servers picked the same destination port? |
|
|||
The reason you need a proxy for ftp is that the destination port proposal that the server makes to the client is contained in the payload of the TCP packet. A packet filter like pf only deals with the TCP/IP header and not the payload.
Re: identical port numbers Normally this is not an issue because a TCP connection are unique because they use 2 IPaddress:Portnr combinations Code:
a.b.c.d:2000 --> w.x.y.z:65000 e:f:g:h:1400 -> w.x.y.z:65000 binat provides a 1:1 mapping between an external and internal IP address and the TCP ports are not modified as in redirect and NAT.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
After a week of trying stuff, I'm afraid I could not get it to work. I going to give up for now. I'm looking into compiling ftp-proxy on QNX but I don't have high hopes at the moment.
Thanks for the suggestions! |
|
|||
Did you try binat?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
This got a little complicated.
My first few attempts at binat made me lose all connection to the QNX thingy. Digging a little deep, it seems like I didn't set up the alias IP addresses correctly. However, thinking about it a bit longer, I abandon further attempts as it would complicate day-to-day operation (or you could chalk it up to my laziness ) I got HTTP port redirection working and since the "FTP servers" are also web servers (and supports directory listing). I just threw my hands up and said this is good enough. My attempt at "fancy" FTP access didn't seem as crucial anymore... so I left it at that. Maybe leave it for my future self to circle back around to it... maybe when I get "ftp-proxy" to compile on QNX. Do much appreciate all the replies though. I learned quite a bit about PF during this exercise (though the emphasis on the "a bit"). Last edited by HalyconDays; 11th November 2021 at 05:29 AM. Reason: Formatting & wording |
Tags |
ftp, ftp-proxy, pf |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Apache hole allows attackers to access internal servers | J65nko | News | 0 | 6th October 2011 05:50 PM |
Best way to manage multiple freebsd servers? | WaBBiT | FreeBSD General | 1 | 4th April 2009 10:37 PM |
Virtual domains on multiple mail servers running Exim4 as MTA | satimis | General software and network | 10 | 27th November 2008 02:42 PM |
About Dedicated Servers | qmemo | Off-Topic | 7 | 4th September 2008 02:15 PM |
Red Hat servers compromised | tanked | Other BSD and UNIX/UNIX-like | 10 | 25th August 2008 04:41 PM |