Hi all ...
I want to build a ftp-server in my firewall server. I Used pure-ftp, proftp and nothing.
Probaly, the problem is in pf.conf.
My env Have FTP_PASSIVE_MODE = YES, and the ftp-proxy is configured for port 8021.
The access for this FTP firewall on in my local network works fine But in external network, can not authenticate the user.
My pf.conf.:
My inetd.conf.:
When I try to access ftp from external network.:
When I try to access ftp from local network.:
Sorry for my bad english.
Thanks a lot
Eduardo Orige
I want to build a ftp-server in my firewall server. I Used pure-ftp, proftp and nothing.
Probaly, the problem is in pf.conf.
My env Have FTP_PASSIVE_MODE = YES, and the ftp-proxy is configured for port 8021.
The access for this FTP firewall on in my local network works fine But in external network, can not authenticate the user.
My pf.conf.:
Code:
[root@server /etc]# cat /etc/pf.conf_edit
tcp_services = "{ ssh, smtp, domain, www, https, ntp, 43}"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
#Interfaces
ext_if = "bge0" # Internet
int_if = "bge1" # vpn / lan
#FTP
proxy="127.0.0.1" # ftp proxy IP
proxyport="8021" # ftp proxy port
#IPS
voip="192.168.1.2"
servidor_win="192.168.1.3"
note_regi="192.168.1.4"
assistencia="192.168.1.5"
jairo="192.168.1.6"
suporte3="192.168.1.10" #Daniel
suporte4="192.168.1.11" #Fabiano
suporte5="192.168.1.8" #Call
suporte6="192.168.1.7" #Jonas
suporte7="192.168.1.13" #Regina
suporte8="192.168.1.15" #Vazio
desenvolvimento="192.168.1.14" #Jeser
# Servicos
postgres="5432"
vnc="5500"
radmin="4899"
#### Normalization
scrub in all
#### NAT and RDR
# NAT
nat on $ext_if from !($ext_if)->($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
# Servidores e VOIP
rdr pass on $ext_if proto tcp from any to any port 5060 -> $voip port 5060
rdr pass on $ext_if proto tcp from any to any port 5061 -> $voip port 5061
rdr pass on $ext_if proto tcp from any to any port 4899 -> $servidor_win port $radmin
rdr pass on $ext_if proto tcp from any to any port 3389 -> $servidor_win port 3389
rdr pass on $ext_if proto tcp from any to any port 5432 -> $servidor_win port 5432
# Assistencia
rdr pass on $ext_if proto tcp from any to any port 5500 -> $assistencia port $vnc
# Suporte
rdr pass on $ext_if proto tcp from any to any port 4898 -> $note_regi port $radmin
rdr pass on $ext_if proto tcp from any to any port 5501 -> $note_regi port $vnc
rdr pass on $ext_if proto tcp from any to any port 4897 -> $jairo port $radmin
rdr pass on $ext_if proto tcp from any to any port 5502 -> $jairo port $vnc
rdr pass on $ext_if proto tcp from any to any port 1723 -> $jairo port 1723
rdr pass on $ext_if proto tcp from any to any port 5503 -> $suporte3 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5506 -> $suporte4 port $vnc
rdr pass on $ext_if proto tcp from any to any port 4895 -> $suporte4 port $radmin
rdr pass on $ext_if proto tcp from any to any port 5504 -> $suporte5 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5505 -> $suporte6 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5507 -> $suporte7 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5509 -> $suporte8 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5508 -> $desenvolvimento port $vnc
#### Start filtering
# Drop incoming everything
#block in all
pass in all
# Default connection refused message to client
block return
# keep stats of outging connections
pass out keep state
#Squid
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out quick on $ext_if inet proto { tcp, udp } from any to any port www keep state
# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass in on $ext_if proto tcp from any to 127.0.0.1 port 21 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to 127.0.0.1 port > 49151 keep state
# Unlimited traffic for lo0 and VPN/Lan interface
set skip on {lo0, $int_if}
# activate spoofing protection for all interfaces
block in quick from urpf-failed
# Antispoof is a common special case of filtering and blocking. This mechanism protects #against activity from spoofed or forged IP addresses
antispoof log for $ext_if
#Block RFC 1918 addresses
block drop in log (all) quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
# Allow outgoing via ssh, smtp, domain, www, https, whois etc
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
# Allow outgoing Trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
# Allow incomming named udp / tcp 53
pass in on $ext_if proto udp from any to any port 53 keep state
# All tcp service protected using synproxy
pass in on $ext_if proto tcp from any to any port 53 flags S/SA synproxy state
# Allow http traffic
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy state
# SSH
pass in on $ext_if proto tcp from any to any port 22 flags S/SA synproxy state
# Allow ICMP ping
pass inet proto icmp all icmp-type $icmp_types keep stateMy inetd.conf.:
Code:
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l -lWhen I try to access ftp from external network.:
Code:
ftp ftp.storec.ddns.com.br
Connected to ftp.storec.ddns.com.br.
220 Ftp firmware update utility
Name (ftp.storec.ddns.com.br:root): ftp
331 Password please.
Password:
421 Login incorrect.
ftp: Login failed.When I try to access ftp from local network.:
Code:
ftp 192.168.1.1
Connected to 192.168.1.1.
220 server.store FTP server (Version 6.00LS) ready.
Name (192.168.1.1:root): ftp
331 Guest login ok, send your email address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.Sorry for my bad english.
Thanks a lot
Eduardo Orige
