[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FTP and tables woes...



Hi, I'm having some trouble while trying to use tables to limit ftp
access to Windows users in my office LAN on an OpenBSD 3.4 firewall.
Here are my relevant rules:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=> CLIP HERE < =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# Macros: define common values, so they can be referenced and changed easily.
ext_if = "xl0"	# replace with actual external interface name i.e., dc0
int_if = "xl1"	# replace with actual internal interface name i.e., dc1
mgmt_if = "fxp0"	# replace with actual internal interface name i.e., dc1
# Internal LAN
internal_net = "{ 192.168.3.0/24 192.168.4.0/24 }"
# Tables: similar to macros, but more flexible for many addresses.
[..]
# Tabella per utenti abilitati all'FTP
table <ftp_allowed_hosts> persist { 127.0.0.1, 192.168.3.248, 192.168.3.9, 192.168.3.10 }
[..]
set loginterface $ext_if
set optimization normal
set block-policy drop
set fingerprints "/etc/pf.os"
scrub in all no-df random-id
scrub out all no-df random-id
nat on $ext_if inet from $internal_net to any -> ($ext_if) static-port
# rdr
# rdr on $int_if inet proto tcp from <ftp_allowed_hosts> to any port 21 -> 127.0.0.1 port 8021
rdr on $int_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# Filtering
block in log on $ext_if inet all
block out log on $ext_if inet all
block in log quick on $ext_if from any to { 255.255.255.255, 224.0.0.0/8, 239.0.0.0/8 }
block in log quick on $ext_if proto { 2, 103 } all
 
block return in from any os NMAP
# FUP
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
[..]
# Antispoof
antispoof log quick for $int_if inet
block in log quick on $ext_if inet from <rfc1918> to any 
block out log quick on $ext_if inet from any to <rfc1918> 
pass quick on lo0 all
pass in quick log on $int_if from $internal_net to any keep state
pass out quick log on $int_if from any to $internal_net keep state
# Block IM
block return-rst out quick log on $ext_if inet proto tcp from any to { <MSN_Messenger>, <hostname_MSN>, <Yahoo_Messenger>, <ICQ> } flags S/SA
# Live Radio
block return in log quick on $ext_if inet from <RTL> to any flags S/SA
# TCP
# WWW
pass out quick on $ext_if inet proto tcp from any to any port { www, https } flags S/SA modulate state
# Mail
pass out quick on $ext_if inet proto tcp from any to <posta_ufficio> port { imap, imaps, imap3, smtp } flags S/SA modulate state
# FTP
# pass out quick log on $ext_if inet proto tcp from any to any port { ftp, ftp-data } flags S/SA modulate state
pass out quick log on $ext_if inet proto tcp from <ftp_allowed_hosts> to any port { ftp, ftp-data } flags S/SA modulate state
pass in quick on $ext_if inet proto tcp from any to $ext_if port 49152 >< 65535 modulate state
pass out quick on $ext_if inet proto tcp from any port 49152 >< 65535 to $ext_if modulate state
# SSH
pass in quick inet proto tcp from <ssh_allowed_hosts> to any port 2244 flags S/SA modulate state
# Domain
pass out quick on $ext_if inet proto udp from any to any port domain keep state
# Timex
pass out quick on $ext_if inet proto udp from any port 33434 >< 33690 to any keep state
pass out quick on $ext_if inet proto icmp all icmp-type timex keep state
# ICMP
# pass in quick on $int_if inet proto icmp all icmp-type 8 code 0 keep state
# pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass out quick on $int_if inet proto icmp from any to any keep state
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=> CLIP HERE < =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
as you may notice, I was trying to limit the pass out rule by inserting
allowed IP addresses into the <ftp_allowed_hosts> but when an allowed
machine tries to connect the remote peer closes the connection.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=> CLIP HERE < =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
tcpdump: listening on xl1
Jun 15 16:08:53.586267 0:50:da:4b:70:75 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.3.248 tell 192.168.3.10
Jun 15 16:08:53.586287 0:1:2:15:4:30 0:50:da:4b:70:75 0806 60: arp reply 192.168.3.248 is-at 0:1:2:15:4:30
Jun 15 16:08:53.586388 0:50:da:4b:70:75 0:1:2:15:4:30 0800 62: 192.168.3.10.1593 > 213.254.1.50.21: S 2175699328:2175699328(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
Jun 15 16:08:53.586560 0:1:2:15:4:30 0:50:da:4b:70:75 0800 62: 213.254.1.50.21 > 192.168.3.10.1593: S 1180595105:1180595105(0) ack 2175699329 win 17520 <mss 1460,nop,nop,sackOK>
Jun 15 16:08:53.586694 0:50:da:4b:70:75 0:1:2:15:4:30 0800 60: 192.168.3.10.1593 > 213.254.1.50.21: . ack 1 win 65535 (DF)
Jun 15 16:08:53.600953 0:1:2:15:4:30 0:50:da:4b:70:75 0800 54: 213.254.1.50.21 > 192.168.3.10.1593: F 1:1(0) ack 1 win 17520
Jun 15 16:08:53.601118 0:50:da:4b:70:75 0:1:2:15:4:30 0800 60: 192.168.3.10.1593 > 213.254.1.50.21: . ack 2 win 65535 (DF)
Jun 15 16:08:53.604664 0:50:da:4b:70:75 0:1:2:15:4:30 0800 60: 192.168.3.10.1593 > 213.254.1.50.21: R 2175699329:2175699329(0) win 0 (DF)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=> CLIP HERE < =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
after changing the pass out rule to
pass out quick log on $ext_if inet proto tcp from any to any port { ftp, ftp-data } flags S/SA modulate state
everything works ok.. I also tried to use the table in the rdr rule but
it seemed to have no effect. Any hints? TIA.
-- 
Pierluigi De Rosa ([email protected]).