PF Nat & ftp-proxy & pure-ftpd never worked

[bryn1u]

Hello guys,

I can't resolve problem with Nat and PF. I always getting some issue. I tried almost everything, with ftp-proxy and without ftp-proxy, with opened passive range ports but it never worked. Someone can tell my what am i doing wrong ?

Code:

################################################
### Firewall PF Rules FreeBSD/HardenedBSD 11 ###

IP_PUB="79.137.56.144"
IP_JAIL="192.168.0.1"
NET_JAIL="192.168.0.0/24"
PORT_JAIL="{ 20,21 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

### connected to internet
ext_if = "em0"

######################################
### Stateful Tracking Options (STO) ##
######################################

################################
### Queues, States and Types ###
################################

 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 synstate ="flags S/UAPRSF synproxy state"
 tcpstate ="flags S/UAPRSF modulate state"
 udpstate ="keep state"

################
### Tables #####
################

 table <blocktemp> counters
 table <bruteforce> persist file "/etc/bruteforce"
 table <spamd-white> persist

######################

 set skip on lo
 set debug urgent
 set ruleset-optimization none

##########################
## ### Timeout Options ###
##########################

 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

###################################
### Traffic Normalization    ###
######################################################################################

scrub in on $ext_if all random-id fragment reassemble

#################
### FTP-Proxy ###
#################

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

###########################
##   Queueing Rules      ##
###########################
###############################################
### NAT and Redirection rules are first match #
###############################################

nat on em0 from $NET_JAIL to any -> $IP_PUB static-port
rdr on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

###########################
# DENY rouge redirection###
###########################

 no rdr

###########################
##   Packet Filtering    ##
###########################

block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"

#######################
# enable antispoofing #
#######################

antispoof log quick for $ext_if inet label "antispoof rule"

# block all if no back routes
block in log quick from no-route to any label "no-route rule"

# block all if reverse fails (probably spoofed)
block in log quick from urpf-failed to any label "reverse lookup failed rule (probably spoofed)"

# drop broadcast requests quietly
block in log quick on $ext_if from any to 255.255.255.255

#####################################################
# Block os-fingerprinting probes               ##
# F=FIN,S=SYN,R=RST,P=PUSH,A=ACK,U=URG,E=ECE,W=CWR ##
#####################################################

block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF
block in log quick on $ext_if proto tcp flags FUP/FUP
block in log quick on $ext_if from any os "NMAP" to any label "NMAP scan block rule"

##################################################################
# keep state on any outbound tcp, udp, or icmp traffic         #
# modulate the isn (initial sequence number) of outgoing packets #
##################################################################

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

######################
#### FTP-Proxy #######
######################

anchor "ftp-proxy/*"

################################
# Block all ips              ##
# pfctl -t blockedip -T show  ##
################################

 block drop in log (all)  quick on $ext_if from <bruteforce> to any
 block drop out log (all) quick on $ext_if from any to <bruteforce>

#### TCP ###
 pass in on $ext_if proto tcp from any to any port 22   $tcpstate $stossh
 pass in on $ext_if proto tcp from any to any port 80   $tcpstate $stowww

#### UDP ###
 pass in on $ext_if proto udp from any to any port { 53, 9987 } $udpstate

# pass for jail ports
# pass in on $ext_if proto tcp from any to $IP_JAIL port {20,21} $tcpstate

Im getting message in filezilla like "can't be routed". I check in tcpdump. I have connection from me to server listen on port 21 but never get back from server to me. I really stop understanding it.
pure-ftpd is in jail 192.168.0.1 and listen on 192.168.0.1:21

[J65nko]

I only know to configure ftp-proxy on a OpenBSD firewall protecting my home network. I never did use it for a ftp server. IIRC you have to use the -R option for a server.

Are you running the ftp server in your home network or in a data center?

How did you configure ftp-proxy?

Does # netstat -4an report that ftp-proxy is running/LISTENing?
On my home lan

Code:

tcp          0      0  127.0.0.1.8021         *.*                    LISTEN

The OpenBSD pf faq has a section about using ftp-proxy to protect a server. See: https://www.openbsd.org/faq/pf/ftp.html
CAVEAT: Don't know if this is applicable to FreeBSD 11

[J65nko]

The ftp-proxy in the recent versions of OpenBSD has been rewritten and is different from the old one that seems to be in FreeBSD 11.

Does this from the FreeBSD man page apply (because you use a "hardened" ruleset)?:

Code:

 CAVEATS
     pf(4) does	not allow the ruleset to be modified if	the system is running
     at	a securelevel(7) higher	than 1.	 At that level ftp-proxy cannot	add
     rules to the anchors and FTP data connections may get blocked.

For debugging you also could use the -D7 option.

[bryn1u]

Quote:

Originally Posted by J65nko

I only know to configure ftp-proxy on a OpenBSD firewall protecting my home network. I never did use it for a ftp server. IIRC you have to use the -R option for a server.

Are you running the ftp server in your home network or in a data center?

How did you configure ftp-proxy?

Does # netstat -4an report that ftp-proxy is running/LISTENing?
On my home lan

Code:

tcp          0      0  127.0.0.1.8021         *.*                    LISTEN

The OpenBSD pf faq has a section about using ftp-proxy to protect a server. See: https://www.openbsd.org/faq/pf/ftp.html
CAVEAT: Don't know if this is applicable to FreeBSD 11

I remove the NAT and made an active connection on the same host as ftpd is. I can connect through ftp but i can't list directories (
As i mentioned when PF is turned off, ftpd working good.

Code:

################################################
### Firewall PF Rules FreeBSD/HardenedBSD 11 ###

IP_PUB="79.137.56.144"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

### connected to internet
ext_if = "em0"

######################################
### Stateful Tracking Options (STO) ##
######################################

################################
### Queues, States and Types ###
################################

 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 synstate ="flags S/UAPRSF synproxy state"
 tcpstate ="flags S/UAPRSF modulate state"
 udpstate ="keep state"

################
### Tables #####
################

 table <blocktemp> counters
 table <bruteforce> persist file "/etc/bruteforce"
 table <spamd-white> persist

######################

 set skip on lo
 set debug urgent
 set ruleset-optimization none

##########################
## ### Timeout Options ###
##########################

 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

###################################
### Traffic Normalization    ###
######################################################################################

scrub in on $ext_if all random-id fragment reassemble

#################
### FTP-Proxy ###
#################

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

###########################
# DENY rouge redirection###
###########################

 no rdr

###########################
##   Packet Filtering    ##
###########################

block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"

#######################
# enable antispoofing #
#######################

antispoof log quick for $ext_if inet label "antispoof rule"

##################################################################
# keep state on any outbound tcp, udp, or icmp traffic         #
# modulate the isn (initial sequence number) of outgoing packets #
##################################################################

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

######################
#### FTP-Proxy #######
######################

anchor "ftp-proxy/*"

################################
# Block all ips              ##
# pfctl -t blockedip -T show  ##
################################

 block drop in log (all)  quick on $ext_if from <bruteforce> to any
 block drop out log (all) quick on $ext_if from any to <bruteforce>

#### TCP ###
 pass in on $ext_if proto tcp from any to any port 22   $tcpstate $stossh
 pass in on $ext_if proto tcp from any to any port 80   $tcpstate $stowww

#### UDP ###
 pass in on $ext_if proto udp from any to any port { 53, 9987 } $udpstate

Related to securelevel:

Code:

root@HardenedBSD:/usr/ports/hardenedbsd/secadm # sysctl -a | grep -i securelevel
kern.securelevel: -1
security.jail.param.securelevel: 0
root@HardenedBSD:/usr/ports/hardenedbsd/secadm #