[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ftp proxy



I believe I have everything setup correctly to allow FTP to enter my
network as per the FAQ, the multitude of article as well as the HOW-TO and
misc@ postings.  And I appologise cause I'm sure it is something ignorant
on my part, but I have failed in my attempt to get it up and running
properly.  So here are the details if anyone wants to point out my obvious
mistake (I appologise for the verbosity, I'm trying to provide as much
info as possible... I'm not a firewall/infosec expert):
Machine:
OpenBSD citadel.polyprep.org 3.1 GENERIC#2 i386
OpenBSD 3.1-current (GENERIC) #2: Wed Aug 14 20:18:15 MDT 2002
It's a Dell PowerEdge 350 w/ two fxp interfaces, P3 800Mhz and 256 of RAM.
The only significant thing it is running is PF.
The machine sits inbetween our Cisco 2610 which routes our T1 and out
Catalyst 2948GL3 which acts as a distribution switch.
It is bridging.
Here is the interface info.
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:02:b3:b1:1e:20
        media: Ethernet autoselect (10baseT)
        status: active
        inet 192.168.3.253 netmask 0xffffff00 broadcast 192.168.3.255
        inet6 fe80::202:b3ff:feb1:1e20%fxp0 prefixlen 64 scopeid 0x1
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:02:b3:b1:1e:21
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.3.254 netmask 0xfffffc00 broadcast 192.168.3.255
        inet6 fe80::202:b3ff:feb1:1e21%fxp1 prefixlen 64 scopeid 0x2
Here is the bridge info
bridge0: flags=41<UP,RUNNING>
        Configuration:
                priority 32768 hellotime 2 fwddelay 15 maxage 20
        Interfaces:
                fxp1 flags=3<LEARNING,DISCOVER>
                        port 2 priority 128
                fxp0 flags=3<LEARNING,DISCOVER>
                        port 1 priority 128
ftp-proxy exists...
-r-xr-xr-x  1 root  bin  28672 Aug 14 22:02 /usr/libexec/ftp-proxy
In /etc/inetd.conf I have added:
127.0.0.1:8081  stream  tcp     nowait  root    /usr/libexec/ftp-proxy
ftp-proxy
And here is my (moderated) pf.conf
# Defines network interfaces.
ext_if  = "fxp0"
int_if  = "fxp1"
# Defines unroutable addresses.
noroute = "{ 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }"
# Defines our servers.
mono_ip  = "192.168.0.230/32"
kayla_ip = "192.168.0.231/32"
mothra_ip = "192.168.0.232/32"
optimus_ip = "192.168.0.233/32"
rashomon_ip = "192.168.0.234/32"
picco_1_ip = "172.16.0.5/32"
# Defines our services
mono_srv = "{ 5800, 5900, ftp, ftp-data, 113 }"
kayla_srv = "{ imap, pop3, http, https, 5800, 5900, 143, 993, 102, 110, 995, 25, 119, 563 }"
mothra_srv = "{ 5800, 5900, ftp, ftp-data, http }"
optimus_srv = "{ 5800, 5900 }"
rashomon_srv = "{ 5800, 5900, 1433, 27015 }"
picco_1_srv = "{ 5800, 5900 }"
# Defines ports/hosts to block to prevent P2P filesharing programs.
KAZAA_SRV = "213.248.112.0/24"
MORPHEUS_SRV = "206.142.53.0/24"
AUDIOGAL_SRV = "64.245.58.0/23"
P2P_PORTS = "{ 6346, 6347, 6348, 6349, 6355, 5634, 1214 }"
# Normalizes packets.
scrub in all
# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy running on port 8081
rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
# Default deny.
block in  on $ext_if all
block out on $ext_if all
# Passes connections to the ftp-proxy.
pass  in on $ext_if proto tcp from any to $int_if port > 49151 keep state
#Helps to prevent spoofing.
block in  log quick on $ext_if inet from $noroute to any
block out log quick on $ext_if inet from any to $noroute
# Saves CPU time by unhindering the loopback interface.
pass  in  quick on lo0 all
pass  out quick on lo0 all
# Attempts to block P2P filesharing.
block out log quick on $ext_if proto tcp from any to any port $P2P_PORTS
block in  log quick on $ext_if proto tcp from any to any port $P2P_PORTS
block out log quick on $ext_if proto tcp from any to $KAZAA_SRV
block in  log quick on $ext_if proto tcp from $KAZAA_SRV to any
block out log quick on $ext_if proto tcp from any to $MORPHEUS_SRV
block in  log quick on $ext_if proto tcp from $MORPHEUS_SRV to any
block out log quick on $ext_if proto tcp from any to $AUDIOGAL_SRV
block in  log quick on $ext_if proto tcp from $AUDIOGAL_SRV to any
# Allows pings.
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# Allows EXPLICITY DEFINED traffic (services) to EXPLICITY DEFINED hosts
(servers).
pass in on $ext_if inet proto { tcp, udp } from any to $mono_ip      port $mono_srv      flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } from any to $kayla_ip     port $kayla_srv     flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } from any to $mothra_ip    port $mothra_srv    flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } from any to $optimus_ip   port $optimus_srv   flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } from any to $rashomon_ip  port $rashomon_srv  flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } from any to $picco_1_ip   port $picco_1_srv   flags S/SA keep state
# Opens states for exiting connections.
pass out on $ext_if proto tcp all modulate state
pass out on $ext_if proto udp all keep state
Thanks Alot!  Even if you didnt respond... you took the time to read
through all this.  I appriciate it.
- Nathan