|
|
|
|
|
|||||||
| Firewalls IPFW, PF, IPF (but not limited) related discussion |
 |
|
|
Thread Tools | Display Modes |
|
#1
May 18th, 2010, 22:17
|
|||
|
|||
Ftp trap with pf
Hi all ...
I want to build a ftp-server in my firewall server. I Used pure-ftp, proftp and nothing. Probaly, the problem is in pf.conf. My env Have FTP_PASSIVE_MODE = YES, and the ftp-proxy is configured for port 8021. The access for this FTP firewall on in my local network works fine But in external network, can not authenticate the user. My pf.conf.: Code:
[root@server /etc]# cat /etc/pf.conf_edit
tcp_services = "{ ssh, smtp, domain, www, https, ntp, 43}"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
#Interfaces
ext_if = "bge0" # Internet
int_if = "bge1" # vpn / lan
#FTP
proxy="127.0.0.1" # ftp proxy IP
proxyport="8021" # ftp proxy port
#IPS
voip="192.168.1.2"
servidor_win="192.168.1.3"
note_regi="192.168.1.4"
assistencia="192.168.1.5"
jairo="192.168.1.6"
suporte3="192.168.1.10" #Daniel
suporte4="192.168.1.11" #Fabiano
suporte5="192.168.1.8" #Call
suporte6="192.168.1.7" #Jonas
suporte7="192.168.1.13" #Regina
suporte8="192.168.1.15" #Vazio
desenvolvimento="192.168.1.14" #Jeser
# Servicos
postgres="5432"
vnc="5500"
radmin="4899"
#### Normalization
scrub in all
#### NAT and RDR
# NAT
nat on $ext_if from !($ext_if)->($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
# Servidores e VOIP
rdr pass on $ext_if proto tcp from any to any port 5060 -> $voip port 5060
rdr pass on $ext_if proto tcp from any to any port 5061 -> $voip port 5061
rdr pass on $ext_if proto tcp from any to any port 4899 -> $servidor_win port $radmin
rdr pass on $ext_if proto tcp from any to any port 3389 -> $servidor_win port 3389
rdr pass on $ext_if proto tcp from any to any port 5432 -> $servidor_win port 5432
# Assistencia
rdr pass on $ext_if proto tcp from any to any port 5500 -> $assistencia port $vnc
# Suporte
rdr pass on $ext_if proto tcp from any to any port 4898 -> $note_regi port $radmin
rdr pass on $ext_if proto tcp from any to any port 5501 -> $note_regi port $vnc
rdr pass on $ext_if proto tcp from any to any port 4897 -> $jairo port $radmin
rdr pass on $ext_if proto tcp from any to any port 5502 -> $jairo port $vnc
rdr pass on $ext_if proto tcp from any to any port 1723 -> $jairo port 1723
rdr pass on $ext_if proto tcp from any to any port 5503 -> $suporte3 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5506 -> $suporte4 port $vnc
rdr pass on $ext_if proto tcp from any to any port 4895 -> $suporte4 port $radmin
rdr pass on $ext_if proto tcp from any to any port 5504 -> $suporte5 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5505 -> $suporte6 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5507 -> $suporte7 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5509 -> $suporte8 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5508 -> $desenvolvimento port $vnc
#### Start filtering
# Drop incoming everything
#block in all
pass in all
# Default connection refused message to client
block return
# keep stats of outging connections
pass out keep state
#Squid
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out quick on $ext_if inet proto { tcp, udp } from any to any port www keep state
# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass in on $ext_if proto tcp from any to 127.0.0.1 port 21 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to 127.0.0.1 port > 49151 keep state
# Unlimited traffic for lo0 and VPN/Lan interface
set skip on {lo0, $int_if}
# activate spoofing protection for all interfaces
block in quick from urpf-failed
# Antispoof is a common special case of filtering and blocking. This mechanism protects #against activity from spoofed or forged IP addresses
antispoof log for $ext_if
#Block RFC 1918 addresses
block drop in log (all) quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
# Allow outgoing via ssh, smtp, domain, www, https, whois etc
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
# Allow outgoing Trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
# Allow incomming named udp / tcp 53
pass in on $ext_if proto udp from any to any port 53 keep state
# All tcp service protected using synproxy
pass in on $ext_if proto tcp from any to any port 53 flags S/SA synproxy state
# Allow http traffic
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy state
# SSH
pass in on $ext_if proto tcp from any to any port 22 flags S/SA synproxy state
# Allow ICMP ping
pass inet proto icmp all icmp-type $icmp_types keep state
Code:
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l -l Code:
ftp ftp.storec.ddns.com.br Connected to ftp.storec.ddns.com.br. 220 Ftp firmware update utility Name (ftp.storec.ddns.com.br:root): ftp 331 Password please. Password: 421 Login incorrect. ftp: Login failed. Code:
ftp 192.168.1.1 Connected to 192.168.1.1. 220 server.store FTP server (Version 6.00LS) ready. Name (192.168.1.1:root): ftp 331 Guest login ok, send your email address as password. Password: 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. Thanks a lot Eduardo Orige Last edited by Orige; July 27th, 2010 at 12:28. 
|
|
#2
May 19th, 2010, 08:14
|
||||
|
||||
|
__________________
Senior UNIX Engineer at Unix Support Nederland Experience is something you don't get until just after you need it.
|
|
#3
May 19th, 2010, 12:10
|
|||
|
|||
|
SirDice..I read and re-read this faq.
I put anchors in pf, rules with nat and nothing. I tried several combination types of rules and don't worked. You can put here your pf.conf for a ftp-server? About the faq, my case is "PF "Self-Protecting" an FTP Server". So, I added more lines in my pf .: Code:
pass in on $ext_if proto tcp from any to any port 21 keep state pass in on $ext_if proto tcp from any to any port 20 keep state pass in on $ext_if inet proto tcp from any to any port > 49151 keep state Last edited by Orige; May 19th, 2010 at 14:32.
|
|
#6
June 9th, 2010, 18:13
|
|||
|
|||
|
Solved
There have was one problem.
First, the router that authenticates the Internet is completely open so I thought the problem is in my pf because everything is just open and just my server it has rules. I concentrated only on the firewall. I was wrong. I discovered that my router does not accept incoming connections by default to port 21, connections that were trying to pass him failed. Ok So I opened another door, 2121, and tried to make the connection. All right now. I did not need to use any kind of proxy (ftp-proxy) and anchors. Thanks to everyone who tried to help me. Last edited by Orige; June 9th, 2010 at 21:35.
|
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Installation from FTP: cannot resolve hostname ftp... | Erratus | Installing & Upgrading | 20 | June 29th, 2010 18:25 |
| [Solved] how to route ftp connection to different jails each one with is own ftp servers | nbari | Firewalls | 1 | May 9th, 2010 09:45 |
| kernel trap 12 with interrupts disabled | SergeyMas | General | 12 | December 23rd, 2009 11:33 |
| ftp-proxy doesn't work on ftp resume | wonslung | Firewalls | 4 | November 28th, 2009 20:47 |
| Fatal trap 12 when trying to install | satsuma | Installing & Upgrading | 7 | February 12th, 2009 21:17 |
Linear Mode
