DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th October 2011
nocturnal nocturnal is offline
New User
 
Join Date: Oct 2011
Posts: 6
Default Ftp-proxy with NAT PF not working

Should be simple, I even have the Book of PF 2nd edition and examples of how to do it on Google from both 4.7 and 4.8. I just can't get mine to work though. I'm running 4.9.

Here is my pfctl -sr

Code:
block drop all
pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24 port = 1022 flags S/SA keep state label "PassInMGMTSSH"
pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24 port = ssh flags S/SA keep state label "PassInMGMTSSH"
pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any port = 1022 flags S/SA keep state label "PassOutMGMTSSH"
pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any port = ssh flags S/SA keep state label "PassOutMGMTSSH"
pass on vic0 proto udp from any to any port = domain keep state label "PassMGMTDNS"
pass on vic0 inet proto icmp all icmp-type echorep keep state label "PassMGMTICMP"
pass on vic0 inet proto icmp all icmp-type echoreq keep state label "PassMGMTICMP"
pass on vic0 inet proto icmp all icmp-type unreach keep state label "PassMGMTICMP"
pass quick on vic2 proto carp all keep state label "CUST-PassCarp"
pass quick on vic3 proto carp all keep state label "CUST-PassCarp"
pass in on vic2 inet proto icmp from any to XX.XX.XX.0/24 icmp-type echoreq keep state label "CUST-PingOut"
pass in on vic2 inet proto icmp from any to XX.XX.XX.0/24 icmp-type echorep keep state label "CUST-PingOut"
pass in on vic2 inet proto icmp from any to XX.XX.XX.0/24 icmp-type unreach keep state label "CUST-PingOut"
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type echoreq keep state label "CUST-PingIn"
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type echorep keep state label "CUST-PingIn"
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type unreach keep state label "CUST-PingIn"
match out on vic2 inet from 10.221.181.10 to any label "CUST-NATOut" nat-to (vic2) round-robin
match in on vic2 proto tcp from any to any port = smtp label "CUST-RDRFrontPool" rdr-to <CUST_FrontPool> round-robin
match in on vic2 proto tcp from any to any port = www label "CUST-RDRFrontPool" rdr-to <CUST_FrontPool> round-robin
match in on vic2 proto tcp from any to any port = ssh label "CUST-RDRFrontPool" rdr-to <CUST_FrontPool> round-robin
match in on vic2 inet proto tcp from any to any port = 5222 label "CUST-RDRBusinessPool" rdr-to 10.221.182.31 port 5222
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = smtp flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = www flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = ssh flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = smtp flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = www flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = ssh flags S/SA keep state label "CUST-PassInFront"
pass in on vic2 inet proto tcp from any to 10.221.182.31 port = 5222 flags S/SA keep state label "CUST-PassInBusiness"
pass in on vic2 inet proto tcp from any to 10.221.182.32 port = 5222 flags S/SA keep state label "CUST-PassInBusiness"
anchor "ftp-proxy/*" all
pass in on vic3 inet proto tcp from any to any port = ftp flags S/SA keep state label "CUST-PassInRDRFTP" rdr-to 127.0.0.1 port 8021
pass out on vic2 proto tcp from any to any port = ftp flags S/SA keep state label "CUST-PassOutFTP"
pass on vic3 all flags S/SA keep state
pass on vic4 all flags S/SA keep state
pass out on vic2 all flags S/SA keep state
I've replaced the public IP but all of this works fine sans the FTP related rules.

Tcpdump shows packets coming in from the localnet on vic3 but even though I have set skip on lo0 I see no packets at all on that interface. Ftp-proxy listens with no special arguments on localhost:8021.

I can use ftp from the gateway using the standard ftp client, logged in over ssh that is.

This is my relevant network config.

$ sudo cat /etc/hostname.vic2
inet XX.XX.XX.59 255.255.255.0 XX.XX.XX.255

$ sudo cat /etc/hostname.vic3
inet 10.221.181.10 255.255.255.0 10.221.181.255

So what could I be missing?
Reply With Quote
  #2   (View Single Post)  
Old 13th October 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

What are you trying to achieve? Allow clients from the internal net to use ftp servers on the internet? Or allow external clients to access a ftp-server in a DMZ?

You have 4 interfaces: vic0, vic2, vic3 and vic4. vic2 and 3 are used for carp. Sometimes but now always carp is used for fail-over. What is the external interface and which one is the internal one?
A short description/network diagram would be helpful
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 13th October 2011 at 01:08 AM.
Reply With Quote
  #3   (View Single Post)  
Old 13th October 2011
nocturnal nocturnal is offline
New User
 
Join Date: Oct 2011
Posts: 6
Default

Quote:
Originally Posted by J65nko View Post
What are you trying to achieve? Allow clients from the internal net to use ftp servers on the internet? Or allow external clients to access a ftp-server in a DMZ?

You have 4 interfaces: vic0, vic2, vic3 and vic4. vic2 and 3 are used for carp. Sometimes but now always carp is used for fail-over. What is the external interface and which one is the internal one?
A short description/network diagram would be helpful
Nevermind, thanks to Norman on the misc-list I was told that my NAT rule was still wrong and if I allowed it from all I would have more luck translating from localhost to my external vic2 interface. So now it works.

If anyone wants to use my rules as a reference then know that you should not match out on $ExtIF from $IntIF:network but instead match out on $ExtIF from inet all nat-to ($ExtIF) so NAT can be done from all addresses on your system out through your external one.
Reply With Quote
  #4   (View Single Post)  
Old 13th October 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Nocturnal, pfctl output is often not as helpful as a pf.conf file with comments, lists, and macros.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp-proxy kazuya25 OpenBSD Installation and Upgrading 4 25th November 2010 06:48 PM
Mouse:X (not-working) and tty-Console (working), in 8.0 ykt FreeBSD General 1 22nd December 2009 12:26 PM
FTP-Proxy cannot connect plexter OpenBSD Packages and Ports 6 11th October 2008 05:59 PM
Tunnel to Proxy PatrickBaer General software and network 2 11th August 2008 03:32 PM
pf and ftp-proxy clinty OpenBSD Security 5 7th May 2008 10:36 PM


All times are GMT. The time now is 06:46 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick