Date: Wed, 18 Jan 2006 12:18:29 -0500 From: Scott Ullrich <sullrich@gmail.com> To: Keith Bottner <keith@barkinglizards.com> Cc: freebsd-pf@freebsd.org Subject: Re: client FTP using NAT Message-ID: <d5992baf0601180918p57a92946l2a8cec3b3a813e55@mail.gmail.com> In-Reply-To: <02ce01c61c52$47119b30$0e01a8c0@Stile> References: <02ce01c61c52$47119b30$0e01a8c0@Stile>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/18/06, Keith Bottner <keith@barkinglizards.com> wrote:
> I am having trouble allowing clients that are inside the PacketFilter
> firewall to retrieve data from external FTP sites. Connection works fine =
but
> a simple ls on the remote server returns a "Connection closed by remote
> host." My pf.conf is below, any help would be appreciated.
>
> Thanks in advance,
>
> Keith
>
> ##########
> # MACROS #
> ##########
>
> # External (Internet) (5 externally addressable IPs)
> # 17(gw)
> # 18 NAT
> # 19 company.com
> # 20 UNUSED
> # 21 UNUSED
> # 22 OTHER
> ext_if=3D"xl1"
> #ext_net=3D"xxx.yyy.zzz.0/29"
>
> ext_gw_addr=3D"xxx.yyy.zzz.17"
> ext_nat_addr=3D"xxx.yyy.zzz.18"
> ext_http_addr=3D"xxx.yyy.zzz.19"
> ext_ftp_addr=3D"xxx.yyy.zzz.19"
> ext_unused1_addr=3D"xxx.yyy.zzz.20"
> ext_unused2_addr=3D"xxx.yyy.zzz.21"
> ext_other_addr=3D"xxx.yyy.zzz.22"
>
> # Internal (Intranet)
> int_if=3D"xl0"
> int_net=3D"192.168.1.0/24"
>
> # DMZ
> dmz_if=3D"vr0"
> dmz_net=3D"10.11.13.0/24"
>
>
> dmz_http_addr=3D"10.11.13.100"
> dmz_ftp_addr=3D"10.11.13.100"
> dmz_perforce_addr=3D"10.11.13.106"
> dmz_cerebro_addr=3D"10.11.13.103"
>
>
> ##########
> # TABLES #
> ##########
> table <priv_nets> const { 127/8, 10/8, 172.16/12, 192.168/16 }
> table <firewall> const { xxx.yyy.zzz.18, xxx.yyy.zzz.19, xxx.yyy.zzz.20,
> xxx.yyy.zzz.21}
>
> ###########
> # OPTIONS #
> ###########
>
>
> #################
> # NORMALIZATION #
> #################
> scrub in all fragment reassemble
>
> ############
> # QUEUEING #
> ############
>
>
> ###############
> # TRANSLATION #
> ###############
>
> # NAT workstations
> nat on $ext_if from $int_net to any -> $ext_nat_addr
>
> # NAT servers external requests
> nat on $ext_if from $dmz_net to any -> $ext_nat_addr
>
>
> ###############
> # REDIRECTION #
> ###############
> # Outgoing FTP requests to the ftp-proxy
> #
> # NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT us=
ed
> to handle an
> # FTP SERVER behind a PF filter.
> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>
>
> # WWW server access
> rdr on $ext_if proto tcp from any to $ext_if port http -> $dmz_http_addr
> port http
>
>
> # FTP server access (VSFTP on lab5 uses 30000-30999 if we change ftp serv=
ers
> then modify)
> rdr on $ext_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_ad=
dr
> port 21
> rdr on $ext_if proto tcp from any to $ext_ftp_addr port 30000:30999 ->
> $dmz_ftp_addr port 30000:30999
>
>
> #############
> # FILTERING #
> #############
> block in log all
> block out log all
>
> pass quick on lo0 all
>
> block in log quick on $ext_if from <priv_nets> to any
> block out quick on $ext_if from any to <priv_nets>
>
> antispoof quick for { $int_if, $dmz_if } inet
>
> pass in on $ext_if proto tcp from any to $dmz_http_addr port http flags S=
/SA
> synproxy state
>
>
> # FTP Client active connections working with ftp-proxy
> pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user prox=
y
> flags S/SA keep state
> pass in inet proto icmp all icmp-type echoreq keep state
>
> # Enables FTP active mode connections. See the redirection section for th=
e
> line that enables
> # FTP passive.
> #
> # NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT us=
ed
> to handle an
> # FTP SERVER behind a PF filter.
> #pass in on $ext_if inet proto tcp from port ftp-data to $ext_nat_addr us=
er
> proxy flags S/SA keep state
>
>
> # FTP Server specific rules
> pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port 21 keep
> state
> pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port > 29999
> keep state
> pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port 21 kee=
p
> state
> pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port > 2999=
9
> keep state
>
>
> # Pass all traffic to and from the Internal Network
> pass in on $int_if from $int_net to any keep state
> #pass out on $int_if from any to $int_net keep state
>
> # Pass all traffic to and from the DMZ Network
> pass in on $dmz_if from $dmz_net to any keep state
> pass out on $dmz_if from any to $dmz_net keep state
>
> # Pass TCP, UDP, and ICMP out on the external (Internet) interface.
> # keep state on udp and icmp and moduleate state on tcp
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
(my apologies, I forgot to reply-all)
I cannot remember if the base FreeBSD is the old ftp-proxy or the
"newer" proxy derived from pftpx but in the newer version of
ftp-proxy, ftpsesame, etc you need to have a helper anchor.
Perhaps try the newer ftp-proxy derived from pftpx that I have
recently ported: http://www.pfsense.com/~sullrich/ported_software/
Stick a ftp-proxy anchor above all you're other rdr rules and you should be=
set.
Scott
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d5992baf0601180918p57a92946l2a8cec3b3a813e55>