Date: Mon, 19 Sep 2005 22:54:19 -0400 From: "Dave" <dmehler26@woh.rr.com> To: <freebsd-net@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: pftpx failing on freebsd 5.4-stable Message-ID: <000701c5bd8e$98fa18a0$0100a8c0@titan>
next in thread | raw e-mail | index | archive | help
Hello,
I'm trying to get ftp working from my lan to the internet. I'm using a
deny by default policy and only allowing out specific traffic. My rules are
below. I start pftpx and load the pf.conf file, all is good, until i try to
ftp. Going from the gateway box ftp can at least log on to the site and does
a 200EPRT command which eventually times out, anything behind the gateway
doesn't even get that far. I log everything via pflog and i do not see any
ftp or pftpx output in the logs at all. In /var/log/messages i do see this:
Sep 19 22:36:07 guardian kernel: pflog0: promiscuous mode enabled
Sep 19 22:36:55 guardian pftpx[630]: #3 pf operation failed: Invalid
argument
Sep 19 22:36:55 guardian pftpx[630]: #3 pf rule removal failed: Invalid
argument
Sep 19 22:39:55 guardian pftpx[630]: #4 pf operation failed: Invalid
argument
Sep 19 22:39:55 guardian pftpx[630]: #4 pf rule removal failed: Invalid
argument
Any help appreciated, i'd really like to get this going.
Thanks.
Dave.
# pf.conf
# for use on gateway box
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last
match.
# macros
# define the two network interfaces
ext_if="xl0"
int_if="xl1"
# define our networks
lan_net="192.168.7.0/24"
# define servers
lan_server="192.168.7.3"
nameservers = "{ xxx }"
isp_dhcp_server = "xxx"
# define services
int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 8000 }"
lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3,
nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401,
4000, 5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8080, 8505, 8880, 9102 }"
# options
set optimization normal
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
# This helps protect against my maximum states being reached
# when being port scanned.
set timeout tcp.closed 1
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
# normalize packets to prevent fragmentation attacks
scrub on $ext_if all random-id reassemble tcp
scrub on $int_if inet no-df
# nat
# translate lan client addresses to that of the externalinterface
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat-anchor "pftpx/*"
# redirections
rdr on $ext_if proto tcp from any to any port $int_to_lan_services ->
$lan_server
# pftpx ftp proxy
rdr-anchor "pftpx/*"
rdr pass on $int_if proto tcp from $int_if:network to any port 21 ->
127.0.0.1 port 8021
# default deny
block log all
# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all
# pass loopback traffic
pass quick on lo0 all
# pftpx proxy traffic
anchor "pftpx /*"
# antispoof options
antispoof quick for $ext_if inet
antispoof quick for $int_if inet
# External interface (Incoming)
# Allow dhcp in
pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to
255.255.255.255 port bootpc
# Allow internet requests through in order to contact lan server
# keep state on this connection
pass in quick on $ext_if inet proto tcp from any to $lan_server port
$int_to_lan_services flags S/SA keep state
pass in quick on $ext_if inet proto udp from any to $lan_server port 1194
keep state
# External interface (outgoing)
# allow dhcp out
pass out quick on $ext_if inet proto udp from $ext_if to any port bootps
# allow UDP requests to port 53 from firewall to exit ext_if
# in order to contact internet nameservers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to $nameservers port
53 keep state
# allow UDP requests to port 123 from firewall to exit ext_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep
state
# Allow traffic from lan clients to exit $ext_if
# (After natting is performed) in order to contact internet servers
# (Keep state on this connection)
pass out quick on $ext_if inet proto tcp from $ext_if to any port
$lan_to_int_services flags S/SA keep state
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out quick on $ext_if inet proto udp from any to any \
port 33433 >< 33626 keep state
# Internal interface (incoming)
# allow lan broadcasts
pass in quick on $int_if proto { tcp, udp } from $lan_net to
$int_if:broadcast
# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall
# (keep state on this connection)
pass in quick on $int_if inet proto udp from $lan_net to $int_if port 53
keep state
# allow UDP requests to ports 67, 68, and 123 from lan clients to enter lan
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass in quick on $int_if inet proto udp from $lan_net to $int_if port { 67,
68, 123, 6112 } keep state
# allow lan traffic from lan clients to enter lan
# in order to contact internet servers (keep state on this connection)
pass in quick on $int_if inet proto tcp from $lan_net to any port
$lan_to_int_services flags S/SA keep state
# allow requests from lan admin to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet
hosts)
pass in quick on $int_if inet proto icmp from $lan_net to any icmp-type 8
keep state
# Internal interface (Outgoing)
# Allow internet requests to exit lan
# in order to contact internet servers
pass out quick on $int_if inet proto tcp from any to $lan_server port
$int_to_lan_services keep state
# Firewall connects to the lan server via scp/ssh for backup purposes
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port 22
flags S/SA keep state
# firewall connects back to the storage daemon
# on the lan server port 9103 to enable it to back up
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port
{ 9101, 9102, 9103 } flags S/SA keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000701c5bd8e$98fa18a0$0100a8c0>