From owner-freebsd-pf@FreeBSD.ORG Wed Apr 2 16:58:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8AFC71065677 for ; Wed, 2 Apr 2008 16:58:54 +0000 (UTC) (envelope-from adam@avertech.net) Received: from avertech.net (avertech.net [161.58.222.54]) by mx1.freebsd.org (Postfix) with ESMTP id 357C08FC28 for ; Wed, 2 Apr 2008 16:58:54 +0000 (UTC) (envelope-from adam@avertech.net) Received: from localhost (c-76-22-91-156.hsd1.wa.comcast.net [76.22.91.156]) by avertech.net (8.13.6.20060614/8.13.1) with ESMTP id m32GTAnm026974 for ; Wed, 2 Apr 2008 16:29:11 GMT Date: Wed, 2 Apr 2008 09:29:10 -0700 From: Adam Richards To: FREEBSD-PF Message-ID: <20080402162910.GA49320@avertech.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD/7.0-RELEASE (i386) X-Crypto: gpg (GnuPG) 2.0.8 http://www.gnupg.org X-GPG-Key: https://www.avertech.net/public/adam-gpg.asc (0x0BA2643B) X-GPG-Fingerprint: 37A8 0950 DF94 097E C49C AE1B C97E 54BC 0BA2 643B Subject: newstyle ftp-proxy and localhost connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2008 16:58:54 -0000 Hi, I have a problem getting ftp-proxy to work for connections *originating* from the machine running ftp-proxy (the firewall itself). Presently I have ftp-proxy working just fine for client connections being forwarded *through* my firewall; but how do I get ftp to work with the firewall as the client? For example, when I do a cvsup of /usr/src to upgrade the firewall? My firewall is running FreeBSD 7.0-RELEASE, nating to the Internet via cable modem (bridging mode -- terminating the public IP on my firewall itself), ALTQ'ing on my Internet-facing iface, and blocking all outbound connections by default and only allowing out explicitly defined protocols/ports. Nothing terribly special or unique IMHO. I would like to somehow direct *all* ftp traffic, both from clients I'm forwarding for as well as the firewall itself, through ftp-proxy without entering into a logic loop. Opening up ephemeral ports for ftp-data is not an option. :) Here's a small snippet of my /etc/pf.conf (if this isn't enough, I'm happy to supply additional pf.conf details to provide more context, if needed): ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ EXT_if = bge0 LAN_if = em0 LO0_if = lo0 table persist { \ $EXT_if \ $LAN_if \ } [...] FTP_proxy = $EXT_if [...] EXT_net = $EXT_if:network LAN_net = $LAN_if:network LO0_net = $LO0_if:network table persist { \ $LAN_net \ $EXT_if \ } [...] GENERAL_TCP_out = "{ \ domain, ntp, sds, sip, sip-tls, rdp, 2703 \ }" MAIL_out = "{ smtp, imaps, pop3s, mailq }" HTTP_out = "{ http, https, 8080 }" SSH_ports = "{ ssh, 2222:2226 }" CVSUP_ports = "{ cvsup }" TCP_VPN_ports = "{ https, 1194:1195 }" [...] set debug urgent set loginterface $EXT_if set loginterface $LAN_if # to get inbound synproxy to work I had to do this: set state-policy if-bound [...] scrub in on $EXT_if all fragment reassemble [...] nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $LAN_if \ proto tcp \ from $LAN_net \ to any port ftp \ -> $LO0_if port 8021 nat on $EXT_if inet from $LAN_net to any -> ($EXT_if) [...] block log (to pflog0) all block log (to pflog1) quick from [...] # (in my pass out filter rules for $EXT_if, I do not specify ftp # or ftp-data since I expect all outgoing ftp connections to be # handled by user proxy running ftp-proxy; thus I install # ftp-proxy filter rules *after* my $EXT_if filter rules [...] anchor "ftp-proxy/*" pass out \ inet proto tcp \ from $FTP_proxy \ to any port ftp \ flags S/SA modulate state \ user { proxy } \ queue(Q_transfers, Q_ack) \ label "ftpproxy_to_all - $proto:$dstport ->" pass on $LO0_if # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Thanks in advance for any insight or help you can provide! :) -- Adam Richards e:adam@avertech.net | k:0x0BA2643B