Date: Wed, 2 Apr 2008 09:29:10 -0700 From: Adam Richards <adam@avertech.net> To: FREEBSD-PF <freebsd-pf@freebsd.org> Subject: newstyle ftp-proxy and localhost connections Message-ID: <20080402162910.GA49320@avertech.net>
next in thread | raw e-mail | index | archive | help
Hi,
I have a problem getting ftp-proxy to work for connections
*originating* from the machine running ftp-proxy (the firewall
itself). Presently I have ftp-proxy working just fine for client
connections being forwarded *through* my firewall; but how do I
get ftp to work with the firewall as the client? For example,
when I do a cvsup of /usr/src to upgrade the firewall?
My firewall is running FreeBSD 7.0-RELEASE, nating to the
Internet via cable modem (bridging mode -- terminating the public
IP on my firewall itself), ALTQ'ing on my Internet-facing iface,
and blocking all outbound connections by default and only
allowing out explicitly defined protocols/ports. Nothing
terribly special or unique IMHO.
I would like to somehow direct *all* ftp traffic, both from
clients I'm forwarding for as well as the firewall itself,
through ftp-proxy without entering into a logic loop. Opening up
ephemeral ports for ftp-data is not an option. :)
Here's a small snippet of my /etc/pf.conf (if this isn't enough,
I'm happy to supply additional pf.conf details to provide more
context, if needed):
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
EXT_if = bge0
LAN_if = em0
LO0_if = lo0
table <LOCALINTS> persist { \
$EXT_if \
$LAN_if \
}
[...]
FTP_proxy = $EXT_if
[...]
EXT_net = $EXT_if:network
LAN_net = $LAN_if:network
LO0_net = $LO0_if:network
table <LOCALNETS> persist { \
$LAN_net \
$EXT_if \
}
[...]
GENERAL_TCP_out = "{ \
domain, ntp, sds, sip, sip-tls, rdp, 2703 \
}"
MAIL_out = "{ smtp, imaps, pop3s, mailq }"
HTTP_out = "{ http, https, 8080 }"
SSH_ports = "{ ssh, 2222:2226 }"
CVSUP_ports = "{ cvsup }"
TCP_VPN_ports = "{ https, 1194:1195 }"
[...]
set debug urgent
set loginterface $EXT_if
set loginterface $LAN_if
# to get inbound synproxy to work I had to do this:
set state-policy if-bound
[...]
scrub in on $EXT_if all fragment reassemble
[...]
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $LAN_if \
proto tcp \
from $LAN_net \
to any port ftp \
-> $LO0_if port 8021
nat on $EXT_if inet from $LAN_net to any -> ($EXT_if)
[...]
block log (to pflog0) all
block log (to pflog1) quick from <BRUTEFORCE>
[...]
# (in my pass out filter rules for $EXT_if, I do not specify ftp
# or ftp-data since I expect all outgoing ftp connections to be
# handled by user proxy running ftp-proxy; thus I install
# ftp-proxy filter rules *after* my $EXT_if filter rules
[...]
anchor "ftp-proxy/*"
pass out \
inet proto tcp \
from $FTP_proxy \
to any port ftp \
flags S/SA modulate state \
user { proxy } \
queue(Q_transfers, Q_ack) \
label "ftpproxy_to_all - $proto:$dstport ->"
pass on $LO0_if
# <EOF>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks in advance for any insight or help you can provide! :)
--
Adam Richards
e:adam@avertech.net | k:0x0BA2643B
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080402162910.GA49320>