I am following the instructions shown in this link.

http://www.openbsd.org/faq/pf/ftp.html#natserver

Here 10.10.10.1 is the IP address of the actual FTP server, 21 is the port we want ftp-proxy(8) to listen on, and 192.168.0.1 is the address on the firewall that we want the proxy to bind to.

My question is, what do you do if your firewall address is dynamic?

ftp-proxy is usually called from inetd for each connection. It should be possible to write a wrapper script that checks the current IP address and then calls ftp-proxy.

When the script exits, use the same exit status from ftp-proxy ($?).

Just a guess. Let me know if you figure it out. :)

The ftp-proxy I am asking about use inetd. I dont know anything about writing scripts either. :) Thanks for the suggestions.

Try put this into a file called ftp-proxy-wrapper.sh and set it executable:


#!/bin/sh

if [ -z "$1" ]; then exit 1; fi

IFACE=$1
ADDRESS=$( ifconfig ${IFACE} |grep "inet " |head -1 |cut -f 1 -d \ )

ftp-proxy -a ${ADDRESS}
exit $?


Now call that from inetd:


ftp-proxy stream tcp nowait root /usr/local/sbin/ftp-proxy-wrapper.sh ftp-proxy-wrapper.sh tun0


Replace 'tun0' with whatever interface you use.

Haven't tested this - good luck.

I just had a look at the ftp-proxy man page. It has changed radically since I last used it. It doesn't use inetd at all anymore, so the above script won't work. What version of FreeBSD are you running?

Add it to /etc/rc.conf:

ftpproxy_enable="YES"

Start it:
/etc/rc.d/ftp-proxy start

Update pf.conf as provided by openbsd pf docs and restart pf:
# /etc/rc.d/pf reload

A step by step tutorial:
http://www.cyberciti.biz/faq/freebsd-opebsd-pf-firewall-ftp-configuration/

So I followed this tutorial. Ive made myself a test pf.conf for testing proxy only usage. Here is the config.

# cat pf.proxy
ext_if="re0" # The external interface
int_if="rl0" # The internal interface

##Global Options
set loginterface $ext_if
set skip on lo0


## TRAFFIC NORMALIZATION

## QUEUEING RULES

#NAT
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

##Filter rules
block log all

# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass out on $ext_if proto udp from any to any port 53 # <-- need this to resolve addresses

#Make sure SSH to firewall works
pass in quick log on $ext_if inet proto tcp from any to ($ext_if) port 22

I tried to connect to ftp.freebsd.org and had no luck.

I then ran tcpdump -e -n -i lo0 and tried to connect to ftp.freebsd.org. There was no traffic redirected to lo0.


I then pinged lo0 so see if it was accepting traffic.

]# tcpdump -e -n -i lo0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
10:52:32.998542 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 23493, seq 0, length 64
10:52:32.998569 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 23493, seq 0, length 64
10:52:33.999648 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 23493, seq 1, length 64
10:52:33.999670 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 23493, seq 1, length 64
10:52:35.000644 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 23493, seq 2, length 64
10:52:35.000666 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 23493, seq 2, length 64
10:52:36.001636 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 23493, seq 3, length 64
10:52:36.001658 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 23493, seq 3, length 64

So I know that i have traffic going to lo0.

I then ran tcpdump -e -n -i pflog0

then tried to connect to ftp.freebsd.org again to make sure that the firewall wasnt blocking. There were no attempts to lo0 blocked.


I wanted to test this so I changed my rules. I removed
set skip on lo0
and reloaded the rules.

I once again ran tcpdump on lo0 and it showed no traffic when i pinged lo0 as expected.

I then ran

tcpdump -e -n -i pflog0

and pinged lo0 again.


# tcpdump -e -n -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
10:36:48.581290 rule 0/0(match): block out on lo0: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 63940, seq 0, length 64
10:36:49.581973 rule 0/0(match): block out on lo0: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 63940, seq 1, length 64
10:36:50.582966 rule 0/0(match): block out on lo0: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 63940, seq 2, length 64
10:36:51.583956 rule 0/0(match): block out on lo0: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 63940, seq 3, length 64

Am I doing something wrong here? I dont think that the proxy is working at all.
]# ps aux |grep ftp-proxy
proxy 48717 0.0 0.2 3104 916 ?? Ss 6:42AM 0:00.10 ftp-proxy

# sockstat -4 |grep ftp-proxy
proxy ftp-proxy 48717 3 tcp4 127.0.0.1:8021 *:*

I cant see what the problem would be. :(

The problem is, that you're trying to use ftp-proxy(8) for client connections. However, ftp-proxy is made to be used for server connections.


+--------------+ +--------------+ +-------------+
+ 192.168.1.10 + <--- + Gateway + <--- + Internet +
+ ftp server + + ftp-proxy + + ftp client +
+--------------+ +--------------+ +-------------+

That's where ftp proxy is used.
If you simply want to make ftp connections TO the internet, then you don't need to do anything special. This works out of the box, if your nat is set up properly and FTP_PASSIVE_MODE is set on the client machine.

The problem is, that you're trying to use ftp-proxy(8) for client connections. However, ftp-proxy is made to be used for server connections.

Rubbish. ftp-proxy can be used in both scenarios.

If you simply want to make ftp connections TO the internet, then you don't need to do anything special. This works out of the box, if your nat is set up properly and FTP_PASSIVE_MODE is set on the client machine.
The point is to get it working in both data modes...

Neurosis, what version of FreeBSD are you running?

The point is to get it working in both data modes...

Neurosis, what version of FreeBSD are you running?

FreeBSD 7.0-RELEASE-p5

I would love to get this connection working for both passive and active. I am indeed running a ftpd in a jail behind the firewall but its proving to be such a pain to get working that I am about to give up. Most of my problems are with my default block all. If i just set a rule for allow all out from the firewall this problem goes away. I am having a problem with both client and ftpd.


The problem is, that you're trying to use ftp-proxy(8) for client connections. However, ftp-proxy is made to be used for server connections.

I believe that its used for ftp client connections too. I am assuming so that you dont have to open such a huge range of ports for connections.
http://www.openbsd.org/faq/pf/ftp.html#client

Ok, FreeBSD 7.0 has the new PF so that howto is valid, however I think the author omitted one important detail:

pass out proto tcp from any to any port 21

Try add that to your ruleset...

aragon: I did try that earlier today. It gets me a little further but doesnt build the data connection. I used the logs to track down what was going on and basicly I was just starting to create rules as if i werent using the proxy at all. That was when I figured out that the proxy wasnt working for me. Maybe I am trying to use it in a manner that it wasnt meant?

I have a bit of a silly question here. I notice that when I try to make connections to the internet from my lan with the block log all rule, it shows the incoming connection attempts being blocked from the lan pc. When I try to connect to the internet from the jail, rather than showing the incoming connection attempt being blocked as it showed from the lan pc, it just shows the attempt being blocked from going out on the ext_if (it does show the jail ip being blocked from connecting out). This leads me to believe that even though i have the jail ip's alias on the int_if, it treats the jails differently as if they are basicly just the host with a different ip. does anyone have any input on that?

P.S. Sorry if that is hard to understand. I have a hard time articulating my thoughts. :)

Try run the proxy with the -D and -d flags so that you can see what it is doing (or not doing).

Try run the proxy with the -D and -d flags so that you can see what it is doing (or not doing).

Just as I suspected. Its not doing anything. the connection never even attempts to go through the proxy.

make two rules for the rdr, one on $int_if one on $ext_if (two different states).
If that still don't work, change block log all to block in log all, then figure out why the anchors for the outgoing proxy connection aren't created.

guys I am trying to get this to work on freebsd 6.4.

It seems its easier on freebsd 7 as the supplied ftp-proxy runs as a daemon whilst the one with freebsd 6 is called by inetd and doesnt work.

As a workaround I have the pasv ports currently always open in PF but I want to use ftp-proxy instead.