333c [Solved] proftp + pf .. external don't connected [Archive] - The FreeBSD Forums
PDA

View Full Version : [Solved] proftp + pf .. external don't connected

Orige
April 19th, 2010, 17:00
Hi all.
I installed proftpd in my server Freebsd 8 amd64 stable with pf.
I setup rules of ftp in pf.conf and inetd too.

My proftpd.conf like this:

#
# For more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "FTP StoreComputer"
ServerType standalone
DefaultServer on
ScoreboardFile /var/run/proftpd/proftpd.scoreboard

# Port 21 is the standard FTP port.
Port 21
# Use IPv6 support by default.
UseIPv6 off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30

CommandBufferSize 512

# Set the user and group under which the server will run.
User nobody
Group nogroup

#AuthUserFile /etc/passwd.ftp
RequireValidShell off

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot /usr/ftp

# Normally, we want files to be overwriteable.
AllowOverwrite on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>

# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.

################################################## #######################
# #
# Uncomment lines with only one # to allow basic anonymous access #
# #
################################################## #######################

#<Anonymous /usr/ftp>
# User ftp
# Group ftp
#</Anonymous>

### We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp

### Limit the maximum number of anonymous logins
# MaxClients 10

### We want 'welcome.msg' displayed at login, and '.message' displayed
### in each newly chdired directory.
DisplayLogin welcome.msg
# DisplayFirstChdir .message

### Limit WRITE everywhere in the anonymous chroot
# <Limit WRITE>
# DenyAll
# </Limit>
#</Anonymous>


#MODULOS
<IfModule mod_auth_pam.c>
AuthPAM on
</IfModule>


<IfModule mod_quotatab.c>
QuotaEngine on
QuotaLog /var/log/ftpd/quota.log

# For more information on using files for storing the limit and tally
# table quota data, please see the mod_quotatab_file documentation:
#
# http://www.castaglia.org/proftpd/modules/mod_quotatab_file.html
#
<IfModule mod_quotatab_file.c>
QuotaLimitTable file:/etc/ftpd/ftpquota.limittab
QuotaTallyTable file:/etc/ftpd/ftpquota.tallytab
</IfModule>

</IfModule>


and the rule of pf.conf is:
pass in quick proto {tcp,udp} from any to any port ftp keep state


But with this rules i can't connect to connected my ftp server on remote network.

Somebody have a idea?

Thanks..
SirDice
April 19th, 2010, 17:02
You also need to open ftp-data. FTP is notoriously tricky to firewall.

http://www.openbsd.org/faq/pf/ftp.html
Orige
April 19th, 2010, 18:28
ok. Now, my pf.conf like this:

nat-anchor "ftp-proxy/*"
nat on $EXTIF from !($EXTIF)->($EXTIF:0)
rdr-anchor "ftp-proxy/*"

rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 21

anchor "ftp-proxy/*"
pass out proto tcp from 127.0.0.1 to any port 21 keep state



And still nothing.
What I do wrong?
SirDice
April 19th, 2010, 19:12
ftp-proxy not running?
Orige
May 10th, 2010, 21:28
Yes. It's running..

I installed pure-ftpd and when I active pf, ftp don't work.
The problem is pf but i don't know what I'll do.
I tried all.
My pf.conf.:
#
# INTERFACES

ext_if="bge0" #recebe a internet
int_if="bge1" #compartilha..rede interna
vpn_if="tun0" #interface pra vpn

#
# MACROS

#IPS
voip="192.168.1.2"
servidor_win="192.168.1.3"
note_regi="192.168.1.4"

# Servicos
postgres="5432"
vnc="5500"
radmin="4899"

# Log de todo trafico da rede externa
set loginterface $ext_if


#
# OTIMIZACAO

# Protecao contra buffer overflow e ataques DDOS
set limit { frags 30000, states 25000 }

# Otimizacao do Firewall padrao - Nivel conservador
set optimization conservative

#
# SCRUB

set skip on lo0
scrub in all

#
# NAT
nat on $ext_if from !($ext_if)->($ext_if:0)

#FTP
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#
# REDIRECIONAMENTO

# Problema Ftp

rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# Squid HTTP
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128

# Servidores e VOIP

rdr pass on $ext_if proto tcp from any to any port 5060 -> $voip port 5060
rdr pass on $ext_if proto tcp from any to any port 5061 -> $voip port 5061
rdr pass on $ext_if proto tcp from any to any port 4899 -> $servidor_win port $radmin
rdr pass on $ext_if proto tcp from any to any port 3389 -> $servidor_win port 3389
rdr pass on $ext_if proto tcp from any to any port 5432 -> $servidor_win port 5432

# Assistencia

rdr pass on $ext_if proto tcp from any to any port 5500 -> $assistencia port $vnc

#
# FILTRAGEM

block log all
block return

pass out all keep state

# Prevenindo contra hijackers de interface interna e externa
antispoof for $int_if
antispoof for $ext_if

#Squid
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out quick on $ext_if inet proto { tcp, udp } from any to any port www keep state
pass in quick on { lo0 , $int_if } all

# FTP
anchor "ftp-proxy/*"
pass quick proto tcp from $int_if to any port 8021 keep state
pass in on $ext_if proto tcp from any to $ext_if port > 49151 keep state

state
# SSH
pass in on $ext_if inet proto tcp from any to any port ssh keep state



Is basically this.
I tried a several ways configurations for pf.conf, a few combinations of rules and nothing.
Some rules:

pass on $ext_if proto tcp from any to any port 21 keep state
pass on $ext_if proto tcp from any to any port 8021 keep state
pass in on $ext_if proto tcp from any to any port 60000 >< 60500 keep state
pass out quick proto tcp from any to any port ftp keep state
pass out quick proto tcp from any to any port 8021 keep state
pass in quick proto tcp from any to any port ftp keep state
pass quick proto {tcp,udp} from any to any port 21 keep state
pass in on $ext_if inet proto tcp from any port ftp-data to ($ext_if) user proxy flags S/SA keep state
pass in on $ext_if proto tcp from any to any port ftp flags S/SA synproxy state


Help me please.

Best Regards.
Orige
June 9th, 2010, 18:12
I solved the problem..
The problem was me!
DutchDaemon
June 9th, 2010, 18:23
Post your solution. This is not a helpdesk, it's a forum. We share knowledge.
Orige
June 9th, 2010, 21:34
Hold on . . I left the answer as to close the matter and then I ride a fair response.

There have was one problem.

First, the router that authenticates the Internet is completely open so I thought the problem is in my pf because everything is just open and just my server it has rules. I concentrated only on the firewall.
I was wrong.
I discovered that my router does not accept incoming connections by default to port 21, connections that were trying to pass him failed.

Ok

So I opened another door, 2121, and tried to make the connection.
All right now.

I did not need to use any kind of proxy (ftp-proxy) and anchors.

Sometimes I was testing the wrong way.

Why when I try to connect to FTP from my local network as if I'm out of it, the connection fails?

Thanks to everyone who tried to help me.
DutchDaemon
June 10th, 2010, 11:31
Thank you.
0