[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF Ruleset Problem for Active/Passive FTP



Hi there.
to make work ftp through the pf firewall, you need:

on /etc/inetd.conf (openbsd)
"127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n -m 55000 -M 57000 -u nobody"
on /etc/inetd.conf (freebsd)
"ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n -m 55000 -M 57000 -u nobody"


on pf.conf:
"rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021"
"pass in on $ext_if inet proto tcp from any to $ext_if port > 55000 keep state"
"pass in on $ext_if proto tcp from any port 20 to any"



We this setup your ftp client will be able to work in passive mode and active mode at less if you are runing a "strict ftp clients" as NCFTP or some of the Mac OS ftp client which ones wont work in Active mode.


Im still waiting for an idea to make the "strict ftp clients" work with pf :) , at the moment it is not possible.

cheers
Marcos Biscaysaqu
ThePacific.net




Phusion wrote:


Hi, I've read http://www.openbsd.org/faq/pf/ftp.html about what to do
to allow ftp through the pf firewall, and have tried that but I still
am having problems. I would like to be able to have rules that support
both active and passive ftp. On my internal network there are
different operating systems with different ftp clients. By the way I'm
using OpenBSD 3.6 and my firewall provides NAT to the internal
network.

Here's what I have in my inetd.conf:

127.0.0.1:8021  stream  tcp     nowait  root    /usr/libexec/ftp-proxy
ftp-proxy -n

Here's some of what I have in my pf.conf:

ext_if          = "fxp0"
int_if          = "sis0"
network         = "10.10.0.0/16"
nat_protocols   = "{ icmp, tcp, udp }"
proto_options   = "modulate state"
tcpsrv_options  = "flags S/SA"
tcp_ports       = "{ 21, 22, 25, 53, 80, 110, 443, 5190, 5999 }"

# nat private network to single routable address
nat on $ext_if inet proto $nat_protocols from $network to any -> ($ext_if)

# ftp-proxy redirection
rdr on $int_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021

pass in on $ext_if inet proto tcp from port 20 to $ext_if \
       user proxy flags S/SA keep state
pass out on $ext_if inet proto tcp from $ext_if to any \
       port $tcp_ports $tcpsrv_options $proto_options

How can I write rules that will support both active and passive ftp
that will allow my internal machines to connect to external ftp sites.
Let me know what is wrong with what I have. Thanks.

Phusion