Date: Mon, 14 Aug 2006 00:59:27 +0300 From: "Ivan Levchenko" <levchenko.i@gmail.com> To: freebsd-pf@freebsd.org Subject: ftp-proxy with pf Message-ID: <e39dd5bb0608131459j666e1b7cr70cfbde80dad86cc@mail.gmail.com> In-Reply-To: <e39dd5bb0608131235j774f24adnb96d7d8dd1414eca@mail.gmail.com> References: <e39dd5bb0608131235j774f24adnb96d7d8dd1414eca@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hi everybody, having some troubles with ftp-proxy on my gateway at home: the darn thing gets me connected to an outside ftp server, but won't let me do anything else with it. the gateway computer is freebsd (it is running pf with nat to share and secure a pppoe connection); the client computer is running kubuntu 6.06. here is what i get when trying to connect to a ftp server behind the nat: $ ftp ftp.freebsd.org Connected to ftp.freebsd.org. 220 ftp.FreeBSD.org NcFTPd Server (licensed copy) ready. Name (ftp.freebsd.org:ivan): ftp 331 Guest login ok, send your complete e-mail address as password. Password: 230-You are user #112 of 1000 simultaneous users allowed. 230- 230 Logged in anonymously. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 550 Data connection must go to same host as control connection. ftp: bind: Address already in use ftp> or i get this error when connecting to a different ftp server (vsftpd): 500 Illegal PORT command. ftp: bind: Address already in use. i read the ftp-proxy and pf.conf man pages and have google-ed more than my brain can comprehend but still no answer for this. i attached the conf files for pf.conf and inetd.conf any help (the right keyword to google with will be nice too!!!) will be great! -- Best Regards, Ivan Levchenko levchenko.i@gmail.com [-- Attachment #2 --] # $FreeBSD: src/etc/inetd.conf,v 1.70.2.1 2006/03/28 15:51:44 ceri Exp $ # # Internet server configuration database # # Define *both* IPv4 and IPv6 entries for dual-stack support. # To disable a service, comment it out by prefixing the line with '#'. # To enable a service, remove the '#' at the beginning of the line. # ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l #ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4 #ssh stream tcp6 nowait root /usr/sbin/sshd sshd -i -6 #telnet stream tcp nowait root /usr/libexec/telnetd telnetd #telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd #shell stream tcp nowait root /usr/libexec/rshd rshd #shell stream tcp6 nowait root /usr/libexec/rshd rshd #login stream tcp nowait root /usr/libexec/rlogind rlogind #login stream tcp6 nowait root /usr/libexec/rlogind rlogind #finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s #finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s # # run comsat as root to be able to print partial mailbox contents w/ biff, # or use the safer tty:tty to just print that new mail has been received. #comsat dgram udp wait tty:tty /usr/libexec/comsat comsat # # ntalk is required for the 'talk' utility to work correctly #ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd #tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpboot #tftp dgram udp6 wait root /usr/libexec/tftpd tftpd -l -s /tftpboot #bootps dgram udp wait root /usr/libexec/bootpd bootpd # # "Small servers" -- used to be standard on, but we're more conservative # about things due to Internet security concerns. Only turn on what you # need. # #daytime stream tcp nowait root internal #daytime stream tcp6 nowait root internal #daytime dgram udp wait root internal #daytime dgram udp6 wait root internal #time stream tcp nowait root internal #time stream tcp6 nowait root internal #time dgram udp wait root internal #time dgram udp6 wait root internal #echo stream tcp nowait root internal #echo stream tcp6 nowait root internal #echo dgram udp wait root internal #echo dgram udp6 wait root internal #discard stream tcp nowait root internal #discard stream tcp6 nowait root internal #discard dgram udp wait root internal #discard dgram udp6 wait root internal #chargen stream tcp nowait root internal #chargen stream tcp6 nowait root internal #chargen dgram udp wait root internal #chargen dgram udp6 wait root internal # # CVS servers - for master CVS repositories only! You must set the # --allow-root path correctly or you open a trivial to exploit but # deadly security hole. # #cvspserver stream tcp nowait root /usr/bin/cvs cvs --allow-root=/your/cvsroot/here pserver #cvspserver stream tcp nowait root /usr/bin/cvs cvs --allow-root=/your/cvsroot/here kserver # # RPC based services (you MUST have rpcbind running to use these) # #rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd #rusersd/1-2 dgram rpc/udp wait root /usr/libexec/rpc.rusersd rpc.rusersd #walld/1 dgram rpc/udp wait root /usr/libexec/rpc.rwalld rpc.rwalld #pcnfsd/1-2 dgram rpc/udp wait root /usr/local/libexec/rpc.pcnfsd rpc.pcnfsd #rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad #sprayd/1 dgram rpc/udp wait root /usr/libexec/rpc.sprayd rpc.sprayd # # example entry for the optional pop3 server # #pop3 stream tcp nowait root /usr/local/libexec/popper popper # # example entry for the optional imap4 server # #imap4 stream tcp nowait root /usr/local/libexec/imapd imapd # # example entry for the optional nntp server # #nntp stream tcp nowait news /usr/local/libexec/nntpd nntpd # # example entry for the optional uucpd server # #uucpd stream tcp nowait root /usr/local/libexec/uucpd uucpd # # Return error for all "ident" requests # #auth stream tcp nowait root internal #auth stream tcp6 nowait root internal # # Provide internally a real "ident" service which provides ~/.fakeid support, # provides ~/.noident support, reports UNKNOWN as the operating system type # and times out after 30 seconds. # #auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30 #auth stream tcp6 nowait root internal auth -r -f -n -o UNKNOWN -t 30 # # Example entry for an external ident server # #auth stream tcp wait root /usr/local/sbin/identd identd -w -t120 # # Example entry for the optional qmail MTA # NOTE: This is no longer the correct way to handle incoming SMTP # connections for qmail. Use tcpserver (http://cr.yp.to/ucspi-tcp.html) # instead. # #smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env /var/qmail/bin/qmail-smtpd # # Enable the following two entries to enable samba startup from inetd # (from the Samba documentation). Enable the third entry to enable the swat # samba configuration tool. # #netbios-ssn stream tcp nowait root /usr/local/sbin/smbd smbd #netbios-ns dgram udp wait root /usr/local/sbin/nmbd nmbd #swat stream tcp nowait/400 root /usr/local/sbin/swat swat # # Enable the following entry to enable ftp-proxy to NAT ftp sessions with pf # N.B.: inetd binds to * in the default installation so you should add # an appropriate block rule to your pf.conf #ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n [-- Attachment #3 --] # $FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp $ # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. ext_if="tun0" # replace with actual external interface name i.e., dc0 int_if="rl0" # replace with actual internal interface name i.e., dc1 icmp_types="{ echoreq, echorep, unreach }" int_net="192.168.0.0/24" # Tables: similar to macros, but more flexible for many addresses. table <notroutable> { 10.0.0.0/8, 192.168.0.0/24, 192.168.1.18, 127.0.0.1/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4, 172.16.0.0/12 } table <allowed> { 192.168.0.194/24, 192.168.0.233/24 } # Options: tune the behavior of pf, default values are given. set optimization normal set block-policy return set skip on lo0 # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. nat on $ext_if from <allowed> to any -> ($ext_if) no nat on $int_if proto tcp from $int_if to $int_net # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 no rdr on $int_if proto tcp from <allowed> to $int_if port 21 rdr on $int_if proto tcp from $int_if to $ext_if port 21 -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table <spamd>. #table <spamd> persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 # Filtering: the implicit first two rules are #pass in on $ext_if all #pass out on $ext_if all #We want to block everything first block in log on $ext_if all block in on $int_if all #Enable antispoof for the internet and out internals #antispoof for $ext_if #antispoof for $int_if #let everything pass out into the internet that starts a conenction and keep state for it pass out on $ext_if proto { tcp, udp } all keep state pass out on $int_if proto { tcp, udp } all keep state # Pass everything out from this computer to the internal network #Here go the quick rules pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 22 keep state # allow ssh for the outside and keep state block drop in log quick on $ext_if from <notroutable> to any #Block in shit from smart asses # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state. pass in on $int_if proto { tcp, udp } from <allowed> to any port { www, ftp, ftp-data, domain, pop3, smtp, ssh, 22, 8080, ntp, 443, 3724, 20 } keep state #ICMP rules pass inet proto icmp all icmp-type $icmp_types keep state # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state #Rules for ftp and frp-proxy pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user proxy flags S/SA keep state pass in on $ext_if inet proto tcp from port > 49151 to any keep state pass in on $int_if inet proto tcp from port > 49151 to any keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e39dd5bb0608131459j666e1b7cr70cfbde80dad86cc>