[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Yet another FTP and ftp-proxy question



Hi
Firstly, I would like to say hi. I work at a computer software company
in Australia. 
Now, I have read the manual (repeatedly) and I have also searched the
mailing list archives and lots on google. While I can find plenty about
FTP and NAT, I can't find what to do when you are not using NAT and
have FTP servers and clients behind the firewall. With that out of the
way, I was hoping to get some help with a new firewall and some FTP
woes.
The firewall is a border firewall as follows:
Internet
  |Router
  |Firewall (this is the box in question. Running OpenBSD 3.5)
  |External servers (all have valid external IP addresses)
NB: There is also an NAT box in the "external server" pool that is the
gateway between our internal network (about 100 workstations) and the
net.
I have written a deny based ruleset for the firewall. All parts (mail,
web, DNS, nmap scan blocking, etc) are all good and working well..
except for the ever problematic FTP. I have tried a number of different
combinations and all seem to have one problem or another. I need to:
- allow active FTP connections from the net to the FTP servers;
- allow passive FTP connections from the net to the FTP servers;
- allow active FTP connections from internal clients to FTP servers on
the internet; and
- allow passive FTP connections from internal clients to FTP servers on
the internet.
In addition to trying heaps of combinations and reading the tcpdump of
the pf logs, I have also looked at tcpdumps on the internal machine,
the firewall and the external machine to try and understand where the
FTP connections are going and therefore which rules are required. I am
now rather confused. :( I have also noticed that some combinations work
for some connection types but not all or seem to work for a connection
type but slow the transfer rate down to around 40kB/s from 5,000kB/s
(over 100Mbps ethernet in the test lab at the moment).
If someone could suggest some appropriate rules and, if you have time,
I would love to be point to a website or otherwise read about how
ftp-proxy actually works. It _seems_ from the tcpdumps that in certain
cases it passes the ftp data connections straight through although that
might just be some misconfigured rules.
Anyway, thanks in advance and sorry if that was too long but I wanted
to be thorough.
Andrew
--
The best rule combination I have tried is below. FTP servers are
configured to limit high ports to 49152 -> 65534 and ftp-proxy is
configured in inetd.conf (I tried it with and without the -n property
even though I am not masquerading):
ftpbox       = 192.168.1.112
ftp2box      = 192.168.1.111
ftphighports = "49152:65534"
ftpservers   = "{" $ftpbox $ftp2box "}"
ftpports     = "{ 20 21 }"
TAKE ONE - FOR FTP SERVERS
## This (understandably) only works for active ftp connections 
## to the ftp servers
pass quick proto tcp from any to $ftpservers port $ftpports \
  keep state 
TAKE TWO - FOR FTP SERVERS
pass in log quick on $ext_if proto tcp from any to $ftpservers \
  port $ftpports keep state
pass out log quick on $int_if proto tcp from any to $ftpservers \
  port $ftpports keep state
pass in log quick on $ext_if proto tcp from any to $ftpservers \
  port $ftphighports keep state
pass out log quick on $int_if proto tcp from any to $ftpservers \
  port $ftphighports keep state 
TAKE THREE - FOR FTP CLIENTS
rdr on $int_if proto tcp from $int_net to any \
  port 21 -> 127.0.0.1 port 8021
#(ftp-proxy is configured in inetd.conf)
pass in quick log on $int_if proto tcp from $int_net to \
  127.0.0.1 port 8021 keep state
pass out quick log on $ext_if proto tcp from any to any \
  user proxy keep state
pass out quick log on $int_if proto tcp from any to any \
  user proxy keep state
END
Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com