DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th November 2008
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Question ftp-server behind pf/nat

hello,

at work :
internet-->cisco modem router-->OpenBSD4.3 with PF/NAT-->servers

Internet ip address is fixe : 193.253.XXX.XXX
OpenBSD Gateway : 192.168.0.73(rl0) / 192.168.1.73 (fxp0)
Modem Router : 192.168.1.254
ftp-server : 192.168.0.88 (windows server 2003,iis)

Ports 21,20 are opened on cisco modem router (to openbsd gateway)
on OpenBSD Machine :
- added in rc.conf.local
ftpproxy_flags="-R 192.168.0.88 -p 21 -b 192.168.0.73"

- added theses lines in my pf.conf (my block policy, block in log on ext_if) :
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on egress proto tcp from any to port 21 -> $ftp-server
rdr on egress proto tcp from any to port 20 -> $ftp-server
pass in quick on egress proto tcp to $ftp-server \
port 21
pass in quick on egress proto tcp to $ftp-server \
port 20

At home, i can't access ftp, in active mode or in passive mode (return me 192.168.0.88), someone can help me please ?

Last edited by milo974; 20th November 2008 at 04:37 PM. Reason: more precision
Reply With Quote
  #2   (View Single Post)  
Old 20th November 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,032
Default

Your description of your internal network and your OpenBSD configuration is not complete.

It seems to me that your problem might be due to the definition of the egress group. A contributing factor might be a different (or missing) nat instruction at the nat-anchor.

If you look at the example pf.conf excerpt in the "FTP Server Protected by an External PF Firewall Running NAT" section of the Issues with FTP chapter of the PF User's Guide, you will see that explicit external and internal interfaces are used, and there is a nat statement as well.

Here is a link for your convenience: http://openbsd.rt.fm/faq/pf/ftp.html#natserver

Last edited by jggimi; 20th November 2008 at 06:16 PM. Reason: added nat comments.
Reply With Quote
  #3   (View Single Post)  
Old 20th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,165
Default

So you have:
Code:
    INTERNET
        |
        |
--------|----------
  192.253.XXX.XXX  

 Cisco modem/router

  192.168.1.254
--------|---------
        | 
        | 
--------|----------
   192.168.1.73 

 OpenBSD firewall

   192.168.0.73 
--------|----------
        | 
        | 
--------|----------
   192.168.0.88 

  IIS ftp server
-------------------
You have the following conf to enable
Code:
ftpproxy_flags="-R 192.168.0.88 -p 21 -b 192.168.0.73"
This is correct. The -R specifies the IP address of the FTP server. The -b option correctly specifies the external interface address as the address to listen for redirected ftp control connections. And -p is the listening port for ftp-proxy.


As Jgimi pointed out, you are missing:
Code:
    pass out on $int_if inet proto tcp to $ftp_ip port 21 \
        user proxy flags S/SA keep state
    anchor "ftp-proxy/*"
Re: Active ftp

Ftp uses 2 different TCP connections: a ftp CONTROL or COMMAND connection, and a ftp DATA connection.

In both active as well passive ftp, the client opens the ftp CONTROL connection to the server using destination port 21.

The difference is the way the ftp DATA channel is setup:
  • Ftp DATA channel initiator:
    • Passive ftp data connection is initiated by the ftp client
    • Active ftp data connection is initiated by the ftp server
  • Usage of ports in DATA channel:
    • Passive ftp: the client uses a source port >1023 and a destination port >1024
    • Active ftp: the server uses a destination port >1023 and a source port 20

If I were you I would forget about supporting ACTIVE ftp. The majority of firewall administrators only allow connections initiated from their local LAN and block incoming connections initiated by external parties, which includes ACTIVE data channel connections.

RE: debugging

Please use a block log (all) policy, which makes blocked packet information to be sent to a pflog device. You can watch these packets
by running tcpdump on the pflog interface/device
Code:
# tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 9th December 2008 at 01:00 AM. Reason: Fixed typo's
Reply With Quote
  #4   (View Single Post)  
Old 21st November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Quote:
Originally Posted by J65nko View Post
This is correct. The -R specifies the IP address of the FTP server. The -b option correctly specifies the external interface address as the address to listen for redirected ftp control connections. And -p is the listening port for ftp-proxy.

Can I ask what is it that you would do if your external interface address is dynamic?
Reply With Quote
  #5   (View Single Post)  
Old 21st November 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,032
Default

That's an off-topic question, neurosis. There are several solutions, including scripting a restart of ftp-proxy each time the address changes. The easiest solution is to run your FTP server on the OpenBSD box with the dynamic IP address, rather than behind it. In that case, read the PF "Self-Protecting" an FTP Server section of the page from the PF User's Guide I mentioned above.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sun Java System Web Server - Active Server Pages (yes ASP) hopla FreeBSD General 0 26th September 2008 08:22 AM


All times are GMT. The time now is 11:30 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick