From owner-freebsd-pf@FreeBSD.ORG Wed Jan 18 17:18:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D66CB16A41F for ; Wed, 18 Jan 2006 17:18:31 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CA5743D46 for ; Wed, 18 Jan 2006 17:18:30 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by wproxy.gmail.com with SMTP id i14so212709wra for ; Wed, 18 Jan 2006 09:18:29 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EeEeXIAIB0gWdMGCV64ErBmcWMnzo4aQ5p8tZEOaxcKzBTk0+nMZgYvC44P2oyd4M+sCgVyd9bwriMZNIeYvJRZ8fYy644jAdfz2OlEGi920Z3S/gGb5YhokcFzR9rxK3YtDI32LX4/IkOcGGYFKT7kzRtQUK2zYzo5ywz76LEQ= Received: by 10.65.15.15 with SMTP id s15mr4930680qbi; Wed, 18 Jan 2006 09:18:29 -0800 (PST) Received: by 10.64.181.18 with HTTP; Wed, 18 Jan 2006 09:18:29 -0800 (PST) Message-ID: Date: Wed, 18 Jan 2006 12:18:29 -0500 From: Scott Ullrich To: Keith Bottner In-Reply-To: <02ce01c61c52$47119b30$0e01a8c0@Stile> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <02ce01c61c52$47119b30$0e01a8c0@Stile> Cc: freebsd-pf@freebsd.org Subject: Re: client FTP using NAT X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 17:18:32 -0000 On 1/18/06, Keith Bottner wrote: > I am having trouble allowing clients that are inside the PacketFilter > firewall to retrieve data from external FTP sites. Connection works fine = but > a simple ls on the remote server returns a "Connection closed by remote > host." My pf.conf is below, any help would be appreciated. > > Thanks in advance, > > Keith > > ########## > # MACROS # > ########## > > # External (Internet) (5 externally addressable IPs) > # 17(gw) > # 18 NAT > # 19 company.com > # 20 UNUSED > # 21 UNUSED > # 22 OTHER > ext_if=3D"xl1" > #ext_net=3D"xxx.yyy.zzz.0/29" > > ext_gw_addr=3D"xxx.yyy.zzz.17" > ext_nat_addr=3D"xxx.yyy.zzz.18" > ext_http_addr=3D"xxx.yyy.zzz.19" > ext_ftp_addr=3D"xxx.yyy.zzz.19" > ext_unused1_addr=3D"xxx.yyy.zzz.20" > ext_unused2_addr=3D"xxx.yyy.zzz.21" > ext_other_addr=3D"xxx.yyy.zzz.22" > > # Internal (Intranet) > int_if=3D"xl0" > int_net=3D"192.168.1.0/24" > > # DMZ > dmz_if=3D"vr0" > dmz_net=3D"10.11.13.0/24" > > > dmz_http_addr=3D"10.11.13.100" > dmz_ftp_addr=3D"10.11.13.100" > dmz_perforce_addr=3D"10.11.13.106" > dmz_cerebro_addr=3D"10.11.13.103" > > > ########## > # TABLES # > ########## > table const { 127/8, 10/8, 172.16/12, 192.168/16 } > table const { xxx.yyy.zzz.18, xxx.yyy.zzz.19, xxx.yyy.zzz.20, > xxx.yyy.zzz.21} > > ########### > # OPTIONS # > ########### > > > ################# > # NORMALIZATION # > ################# > scrub in all fragment reassemble > > ############ > # QUEUEING # > ############ > > > ############### > # TRANSLATION # > ############### > > # NAT workstations > nat on $ext_if from $int_net to any -> $ext_nat_addr > > # NAT servers external requests > nat on $ext_if from $dmz_net to any -> $ext_nat_addr > > > ############### > # REDIRECTION # > ############### > # Outgoing FTP requests to the ftp-proxy > # > # NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT us= ed > to handle an > # FTP SERVER behind a PF filter. > rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 > > > # WWW server access > rdr on $ext_if proto tcp from any to $ext_if port http -> $dmz_http_addr > port http > > > # FTP server access (VSFTP on lab5 uses 30000-30999 if we change ftp serv= ers > then modify) > rdr on $ext_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_ad= dr > port 21 > rdr on $ext_if proto tcp from any to $ext_ftp_addr port 30000:30999 -> > $dmz_ftp_addr port 30000:30999 > > > ############# > # FILTERING # > ############# > block in log all > block out log all > > pass quick on lo0 all > > block in log quick on $ext_if from to any > block out quick on $ext_if from any to > > antispoof quick for { $int_if, $dmz_if } inet > > pass in on $ext_if proto tcp from any to $dmz_http_addr port http flags S= /SA > synproxy state > > > # FTP Client active connections working with ftp-proxy > pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user prox= y > flags S/SA keep state > pass in inet proto icmp all icmp-type echoreq keep state > > # Enables FTP active mode connections. See the redirection section for th= e > line that enables > # FTP passive. > # > # NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT us= ed > to handle an > # FTP SERVER behind a PF filter. > #pass in on $ext_if inet proto tcp from port ftp-data to $ext_nat_addr us= er > proxy flags S/SA keep state > > > # FTP Server specific rules > pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port 21 keep > state > pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port > 29999 > keep state > pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port 21 kee= p > state > pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port > 2999= 9 > keep state > > > # Pass all traffic to and from the Internal Network > pass in on $int_if from $int_net to any keep state > #pass out on $int_if from any to $int_net keep state > > # Pass all traffic to and from the DMZ Network > pass in on $dmz_if from $dmz_net to any keep state > pass out on $dmz_if from any to $dmz_net keep state > > # Pass TCP, UDP, and ICMP out on the external (Internet) interface. > # keep state on udp and icmp and moduleate state on tcp > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state (my apologies, I forgot to reply-all) I cannot remember if the base FreeBSD is the old ftp-proxy or the "newer" proxy derived from pftpx but in the newer version of ftp-proxy, ftpsesame, etc you need to have a helper anchor. Perhaps try the newer ftp-proxy derived from pftpx that I have recently ported: http://www.pfsense.com/~sullrich/ported_software/ Stick a ftp-proxy anchor above all you're other rdr rules and you should be= set. Scott