From owner-freebsd-pf@FreeBSD.ORG  Wed Jan 18 17:12:32 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D76A216A422
	for <freebsd-pf@freebsd.org>; Wed, 18 Jan 2006 17:12:32 +0000 (GMT)
	(envelope-from keith@barkinglizards.com)
Received: from pluto.phpwebhosting.com (pluto.phpwebhosting.com [69.0.209.128])
	by mx1.FreeBSD.org (Postfix) with SMTP id A046C43D9D
	for <freebsd-pf@freebsd.org>; Wed, 18 Jan 2006 17:12:13 +0000 (GMT)
	(envelope-from keith@barkinglizards.com)
Received: (qmail 30470 invoked from network); 18 Jan 2006 17:11:51 -0000
Received: from unknown (HELO Stile) (keith%barkinglizards.com@209.117.233.18)
	by pluto.phpwebhosting.com with SMTP; Wed, 18 Jan 2006 12:11:51 -0500
From: "Keith Bottner" <keith@barkinglizards.com>
To: <freebsd-pf@freebsd.org>
Date: Wed, 18 Jan 2006 11:11:52 -0600
Organization: Barking Lizards Technologies
Message-ID: <02ce01c61c52$47119b30$0e01a8c0@Stile>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcYaJhDt8g5qdwmHRfGVgQaiZ9beEQ==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: client FTP using NAT
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2006 17:12:33 -0000

I am having trouble allowing clients that are inside the PacketFilter
firewall to retrieve data from external FTP sites. Connection works fine but
a simple ls on the remote server returns a "Connection closed by remote
host." My pf.conf is below, any help would be appreciated.
 
Thanks in advance,
 
Keith
 
##########
# MACROS #
##########
 
# External (Internet) (5 externally addressable IPs)
# 17(gw)
# 18 NAT
# 19 company.com
# 20 UNUSED
# 21 UNUSED
# 22 OTHER
ext_if="xl1"
#ext_net="xxx.yyy.zzz.0/29"
 
ext_gw_addr="xxx.yyy.zzz.17"
ext_nat_addr="xxx.yyy.zzz.18"
ext_http_addr="xxx.yyy.zzz.19"
ext_ftp_addr="xxx.yyy.zzz.19"
ext_unused1_addr="xxx.yyy.zzz.20"
ext_unused2_addr="xxx.yyy.zzz.21"
ext_other_addr="xxx.yyy.zzz.22"
 
# Internal (Intranet)
int_if="xl0"
int_net="192.168.1.0/24"
 
# DMZ
dmz_if="vr0"
dmz_net="10.11.13.0/24"
 

dmz_http_addr="10.11.13.100"
dmz_ftp_addr="10.11.13.100"
dmz_perforce_addr="10.11.13.106"
dmz_cerebro_addr="10.11.13.103"
 

##########
# TABLES #
##########
table <priv_nets> const { 127/8, 10/8, 172.16/12, 192.168/16 }
table <firewall> const { xxx.yyy.zzz.18, xxx.yyy.zzz.19, xxx.yyy.zzz.20,
xxx.yyy.zzz.21}
 
###########
# OPTIONS #
###########
 

#################
# NORMALIZATION #
#################
scrub in all fragment reassemble
 
############
# QUEUEING #
############
 

###############
# TRANSLATION #
###############
 
# NAT workstations
nat on $ext_if from $int_net to any -> $ext_nat_addr
 
# NAT servers external requests
nat on $ext_if from $dmz_net to any -> $ext_nat_addr
 

###############
# REDIRECTION #
###############
# Outgoing FTP requests to the ftp-proxy
#
# NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT used
to handle an
# FTP SERVER behind a PF filter.
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
 

# WWW server access
rdr on $ext_if proto tcp from any to $ext_if port http -> $dmz_http_addr
port http
 

# FTP server access (VSFTP on lab5 uses 30000-30999 if we change ftp servers
then modify)
rdr on $ext_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr
port 21
rdr on $ext_if proto tcp from any to $ext_ftp_addr port 30000:30999 ->
$dmz_ftp_addr port 30000:30999
 

#############
# FILTERING #
#############
block in log all
block out log all
 
pass quick on lo0 all
 
block in log quick on $ext_if from <priv_nets> to any
block out quick on $ext_if from any to <priv_nets>
 
antispoof quick for { $int_if, $dmz_if } inet
 
pass in on $ext_if proto tcp from any to $dmz_http_addr port http flags S/SA
synproxy state
 

# FTP Client active connections working with ftp-proxy
pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user proxy
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
 
# Enables FTP active mode connections. See the redirection section for the
line that enables
# FTP passive.
#
# NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT used
to handle an
# FTP SERVER behind a PF filter.
#pass in on $ext_if inet proto tcp from port ftp-data to $ext_nat_addr user
proxy flags S/SA keep state
 

# FTP Server specific rules
pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port 21 keep
state
pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port > 29999
keep state
pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port 21 keep
state
pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port > 29999
keep state
 

# Pass all traffic to and from the Internal Network
pass in on $int_if from $int_net to any keep state
#pass out on $int_if from any to $int_net keep state
 
# Pass all traffic to and from the DMZ Network
pass in on $dmz_if from $dmz_net to any keep state
pass out on $dmz_if from any to $dmz_net keep state
 
# Pass TCP, UDP, and ICMP out on the external (Internet) interface.
# keep state on udp and icmp and moduleate state on tcp
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state