DaemonForums  

Go Back   DaemonForums > Other Operating Systems > Other BSD and UNIX/UNIX-like

Other BSD and UNIX/UNIX-like Any other flavour of BSD or UNIX that does not have a section of its own.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th October 2021
HalyconDays HalyconDays is offline
New User
 
Join Date: Oct 2021
Posts: 4
Default Access to multiple FTP Servers over PF

Hi,

First I wanted to say sorry for all the upcoming rudimentary questions. I'm very new to PF. I'm trying to figure out how to redirect traffic to multiple FTP servers.

Setup:
I have a device running QNX OS with two interfaces "en0" and "en1".
en0 - external interface with a statically assigned IP address by the user [EXT IP]/[NETMASK]
en1 - internal interface to communicate with the FTP servers over range, say, 155.155.2.0/24

Let,
155.155.2.1 - primary FTP server IP address
155.155.2.2 - secondary FTP server IP address

I would like to command FTP servers through designated ports externally.
e.g. To access the primary FTP server, the user should be able to use [EXT IP]:8021 and it'll be redirected to internal 155.155.2.1:21; likewise, [EXT IP]:8121 to 155.155.2.2:21

The tool available to me in QNX is "pf". I think redirecting COMMAND port is no problem and I think I have successfully done so with following rules in "pf.conf".

Code:
ext_if="en0"
int_if="en1"

pri_ip="155.155.2.1"
sec_ip="155.155.2.2"
receiver_ips="{$pri_ip, $sec_ip}"

protocols = "{tcp, udp}"

set block-policy drop
set loginterface $ext_if
set skip on lo0

# Normalization
scrub in all random-id fragment reassemble

# Translate incoming packets' destination address to an internal machine
nat on $int_if from $ext_if:network to any -> ($int_if)

# Translate outgoing packets' source address (TCP protocol).
# Primary FTP
rdr on $ext_if proto tcp from any to $ext_if port 8021 -> $pri_ip port 21

# Secondary FTP
rdr on $ext_if proto tcp from any to $ext_if port 8121 -> $sec_ip port 21
However, as you might have guessed, the DATA ports are a problem as they are randomly selected in the upper port range. I do not have control over the FTP servers' high port range. From my searches, it appears I need something like "ftp-proxy" utility, which is something that does not exist on QNX. Is there a way to dynamically redirect DATA port as well as communicate that redirection to the client without "ftp-proxy" utility?

There is also the danger that FTP servers might accidentally select the same DATA port. Somehow, "pf" needs to redirect them to different ports presented on "en0" and communicate it to the clients.

Thanks.

Last edited by HalyconDays; 29th October 2021 at 03:50 PM. Reason: Mistake in pf.conf
Reply With Quote
  #2   (View Single Post)  
Old 29th October 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

If I understand you correctly you are trying to "proctect" your FTP servers with a QNX pf firewall?
With the OpenBSD ftp proxy you would have to use this proxy in reverse mode.

On OpenBSD the range of data ports used by FTP data channel connections are these 'hiport"s:
Code:
# sysctl -a | grep ip\.port
net.inet.ip.portfirst=1024
net.inet.ip.portlast=49151
net.inet.ip.porthifirst=49152
net.inet.ip.porthilast=65535
With passive ftp the server proposes a destination port in this 49152 - 65535 range to the client.
The client then uses this destination port to connect to the ftp server (using a random source port).

Because you don't have the proxy, your only way out, would be to allow all incoming traffic to the high ports range that your ftp servers use.
If your users are on fixed IP addresses you could limit only these IPs to connect to the high ports range.

The best solution would be to ditch the ftp servers and use "ftp over ssh" so you don't have to use this workaround. Or use https.
That way you also get rid of the FTP server security issues. Remember the Solarwinds compromise with the Windows FTP server?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 30th October 2021
HalyconDays HalyconDays is offline
New User
 
Join Date: Oct 2021
Posts: 4
Default

Thank you for the reply.

I sort of simplified my setup a little bit. The real device is not something that is exposed to the Internet at large. I should clarify that what I meant was I have is a package of a single-board embedded computer (running QNX) interfaced internally to an array of sensors via Ethernet on PCB. Normally, a user can talk to and view the status/solution output of this package over an externally exposed Ethernet port.

Normally, external (user) access to the internal sensors is unnecessary and discouraged. However, I ran into some issues where I need to pull logs from those internal sensors. What I used to do is bridge the two network interfaces on the embedded computer and pull the data directly from the sensors. But, this is a bit cumbersome.

More to the point though, I cannot change the FTP setup on the sensors, unfortunately.

From a high-level, I thought I can treat the whole setup like a QNX "firewall" "protecting" a couple of FTP servers, as an explanation for my setup.

I have thought about opening all the high ports but I have no idea how or where to forward traffic if I have multiple FTP servers. Worst yet, when accessing both FTP servers at a time, what if both FTP servers picked the same destination port?
Reply With Quote
  #4   (View Single Post)  
Old 30th October 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

The reason you need a proxy for ftp is that the destination port proposal that the server makes to the client is contained in the payload of the TCP packet. A packet filter like pf only deals with the TCP/IP header and not the payload.

Re: identical port numbers
Normally this is not an issue because a TCP connection are unique because they use 2 IPaddress:Portnr combinations

Code:
a.b.c.d:2000 --> w.x.y.z:65000
e:f:g:h:1400 -> w.x.y.z:65000
I am not sure if adding an alias IP address to the external IF of the QNX thingy for each additional ftp server and then use binat could solve the issue. You could give it a try

binat provides a 1:1 mapping between an external and internal IP address and the TCP ports are not modified as in redirect and NAT.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 10th November 2021
HalyconDays HalyconDays is offline
New User
 
Join Date: Oct 2021
Posts: 4
Default

After a week of trying stuff, I'm afraid I could not get it to work. I going to give up for now. I'm looking into compiling ftp-proxy on QNX but I don't have high hopes at the moment.

Thanks for the suggestions!
Reply With Quote
  #6   (View Single Post)  
Old 10th November 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Did you try binat?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 11th November 2021
HalyconDays HalyconDays is offline
New User
 
Join Date: Oct 2021
Posts: 4
Default

This got a little complicated.

My first few attempts at binat made me lose all connection to the QNX thingy. Digging a little deep, it seems like I didn't set up the alias IP addresses correctly. However, thinking about it a bit longer, I abandon further attempts as it would complicate day-to-day operation (or you could chalk it up to my laziness )

I got HTTP port redirection working and since the "FTP servers" are also web servers (and supports directory listing). I just threw my hands up and said this is good enough.

My attempt at "fancy" FTP access didn't seem as crucial anymore... so I left it at that. Maybe leave it for my future self to circle back around to it... maybe when I get "ftp-proxy" to compile on QNX.

Do much appreciate all the replies though. I learned quite a bit about PF during this exercise (though the emphasis on the "a bit").

Last edited by HalyconDays; 11th November 2021 at 05:29 AM. Reason: Formatting & wording
Reply With Quote
Reply

Tags
ftp, ftp-proxy, pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache hole allows attackers to access internal servers J65nko News 0 6th October 2011 05:50 PM
Best way to manage multiple freebsd servers? WaBBiT FreeBSD General 1 4th April 2009 10:37 PM
Virtual domains on multiple mail servers running Exim4 as MTA satimis General software and network 10 27th November 2008 02:42 PM
About Dedicated Servers qmemo Off-Topic 7 4th September 2008 02:15 PM
Red Hat servers compromised tanked Other BSD and UNIX/UNIX-like 10 25th August 2008 04:41 PM


All times are GMT. The time now is 04:33 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick