Date: Tue, 4 Oct 2005 17:21:35 -0400 From: "Dave" <dmehler26@woh.rr.com> To: <freebsd-pf@freebsd.org> Subject: active ftp, pf, and traffic queueing Message-ID: <000301c5c929$99f8aae0$0900a8c0@satellite>
next in thread | raw e-mail | index | archive | help
Hello,
I'm running pf on a freebsd 5.4-p6 gateway box which also does nat for
an internal network. I *finally* after a lot of help/google searching, got
passive ftp connections working not only from my gateway box but from my lan
clients. I consider this quite good! My problem now is i have two clients
older that utilize active ftp and they're not working. I've got rules in
pf.conf to allow active connections, but apparently it's not right, no good.
If anyone can help with this i'd appreciate it.
I'm also looking for evaluations on the security of my ruleset, does it
in fact block everything and only allow what i designate? And given my setup
i want to get in to traffic prioritization, with these rules i'm wondering
the most efficient way?
Thanks.
Dave.
pf.conf
# pf.conf
# for use on gateway box
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last
match.
# define the two network interfaces
ext_if = "rl0"
int_if = "rl1"
# define some address macros
lan_server = "192.168.1.3"
# define services
int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1194, 1723,
8000 }"
lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3,
nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401,
4000, 4662, 4711,
5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8021, 8080, 8505, 8880, 9102 }"
lan_to_fw_services = "{ ssh }"
fw_to_lan_services = "{ ssh, 9101, 9102, 9103 }"
nameservers = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"
isp_dhcp_server = "10.40.224.1"
# options
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
# normalize packets to prevent fragmentation attacks
scrub on $ext_if all random-id reassemble tcp
scrub on $int_if inet no-df
# queue band width limiting
#altq on $ext_if cbq bandwidth 768Kb queue { std, ssh, ftp, pop3 }
#queue std bandwidth 50% cbq(default)
#queue ssh bandwidth 25% { ssh_login, ssh_bulk }
#queue ssh_login bandwidth 25% priority 4 cbq(ecn)
#queue ssh_bulk bandwidth 75% cbq(ecn)
#queue ftp bandwidth 50Kb priority 3 cbq(borrow red)
#queue pop3 bandwidth 100Kb priority 3 cbq(borrow red)
# translate lan client addresses to that of the external interface
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if inet proto tcp from any to any port $int_to_lan_services ->
$lan_server
rdr on $ext_if inet proto udp from any to any port 1194 -> $lan_server port
1194
# Redirect lan client FTP requests (to an FTP server's control port 21)
# to the ftp-proxy running on the firewall host (via inetd on port 8021)
rdr on $int_if inet proto tcp from $int_if:network to any port 21 ->
127.0.0.1 port 8021
rdr on $int_if inet proto tcp from $int_if:network to any port www ->
127.0.0.1 port 8080
# redirect gre traffic
rdr on $ext_if inet proto gre from any to any -> $lan_server
# pass all loopback traffic
pass quick on lo0 all
# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all
# Thwart nmap scans
block in log quick on $ext_if proto tcp all flags FUP/FUP
# prevent lan originated spoofing from occurring
antispoof for $ext_if inet
# block everything from entering EXT
block in log on $ext_if all
# allow WAN requests from the internet to enter EXT
# in order to contact our web server (keep state on this connection)
pass in on $ext_if inet proto tcp from any to $lan_server port
$int_to_lan_services flags S/SA modulate state
# UDP 1194 for openvpn
pass in on $ext_if inet proto udp from any to $lan_server port 1194 keep
state
# Gre traffic for mpd
pass in on $ext_if inet proto gre from any to $lan_server keep state
# Allow dhcp in
pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to
255.255.255.255 port bootpc keep state
# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in
inetd.conf
pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port
55000 >< 57000 user proxy flags S/SA keep state
# block everything from exiting EXT
block out log on $ext_if all
# allow UDP requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 53 keep
state
# allow UDP requests to port 123 from firewall to exit ext_if_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep
state
# Allow UDP requests to port 67 from firewall to exit ext_if
# in order to contact internet dhcp servers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port bootps
keep state
# allow lan requests from lan clients to exit EXT
# (after natting is performed) in order to contact internet servers
# (keep state on this connection)
pass out quick on $ext_if inet proto tcp from $ext_if to any port
$lan_to_int_services flags S/SA modulate state
# allow ICMP requests from firewall to exit EXT (after natting is performed)
# in order to ping/traceroute internet hosts on the behalf of lan clients
pass out on $ext_if inet proto icmp from $ext_if to any icmp-type 8 keep
state
# Allow ftp-proxy packets destined to port 20 to exit $ext_if
# in order to maintain communications with the ftp server
pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 flags
S/SA modulate state
# Allow firewall to contact ftp server on behalf of passive ftp client
pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to
any user proxy flags S/SA keep state
# block everything from entering LAN
block in log on $int_if all
# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this
connection)
pass in quick on $int_if inet proto udp from $int_if:network to $int_if port
53 keep state
# allow UDP requests to ports 67, 68, and 123 from int_if clients to enter
int_if
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass in quick on $int_if inet proto udp from $int_if:network to $int_if port
{ 67, 68, 123, 6112 } keep state
# allow LAN requests from lan clients to enter LAN
# in order to contact internet servers (keep state on this connection)
pass in quick on $int_if inet proto tcp from $int_if:network to any port
$lan_to_int_services flags S/SA modulate state
# lan network connects to firewall via ssh for administrative purposes
pass in on $int_if inet proto tcp from $int_if:network to $int_if port
$lan_to_fw_services modulate state
# allow requests from lan network to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet
hosts)
pass in quick on $int_if inet proto icmp from $int_if:network to any
icmp-type 8 keep state
# allow lan broadcasts
pass in quick on $int_if proto { tcp, udp } from $int_if:network to
$int_if:broadcast keep state
# allow squid connections from lan to proxy
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep
state
# allow ftp connections from lan to proxy
pass quick on $int_if inet proto tcp from $int_if:network to lo0 port 8021
flags S/SA keep state
pass in quick on $int_if inet proto tcp from $int_if:network to $ext_if port
55000:57000 flags S/SA keep state
# block everything from exiting LAN
block out log on $int_if all
# allow WAN requests from the internet to exit LAN
# in order to contact our lan server (keep state on this connection)
pass out quick on $int_if inet proto tcp from any to $lan_server port
$int_to_lan_services flags S/SA modulate state
# UDP 1194
pass out quick on $int_if inet proto udp from any to $lan_server port 1194
keep state
# GRE traffic out
pass out quick on $int_if inet proto gre from any to $lan_server keep state
# firewall connects to the lan server via scp/ssh for backup purposes
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port
$fw_to_lan_services flags S/SA modulate state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000301c5c929$99f8aae0$0900a8c0>