1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ftp trap with pf

Discussion in 'Firewalls' started by Orige, May 18, 2010.

  1. Orige

    Orige New Member

    Messages:
    66
    Thanks Received:
    0
    Hi all ...

    I want to build a ftp-server in my firewall server. I Used pure-ftp, proftp and nothing.
    Probaly, the problem is in pf.conf.

    My env Have FTP_PASSIVE_MODE = YES, and the ftp-proxy is configured for port 8021.
    The access for this FTP firewall on in my local network works fine But in external network, can not authenticate the user.

    My pf.conf.:

    Code:
    [root@server /etc]# cat /etc/pf.conf_edit  
    tcp_services = "{ ssh, smtp, domain, www, https, ntp, 43}"
    udp_services = "{ domain, ntp }"
    icmp_types = "{ echoreq, unreach }"
    
    martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
    
    #Interfaces  
    ext_if = "bge0" # Internet
    int_if = "bge1" # vpn / lan
    
    #FTP   
    proxy="127.0.0.1" # ftp proxy IP
    proxyport="8021" # ftp proxy port
    
    #IPS
    voip="192.168.1.2"
    servidor_win="192.168.1.3"
    note_regi="192.168.1.4"
    assistencia="192.168.1.5"
    jairo="192.168.1.6"
    suporte3="192.168.1.10"			#Daniel
    suporte4="192.168.1.11"			#Fabiano
    suporte5="192.168.1.8"			#Call
    suporte6="192.168.1.7"			#Jonas
    suporte7="192.168.1.13"			#Regina
    suporte8="192.168.1.15"			#Vazio
    desenvolvimento="192.168.1.14"		#Jeser
    
    # Servicos
    postgres="5432"
    vnc="5500"
    radmin="4899"
        
    #### Normalization
    scrub in all
              
    #### NAT and RDR
    # NAT
    nat on $ext_if from !($ext_if)->($ext_if:0)
    
    nat-anchor "ftp-proxy/*"
    rdr-anchor "ftp-proxy/*"
    	        
    # Redirect ftp traffic to proxy
    rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
    
    		 
    # Servidores e VOIP
    rdr pass on $ext_if proto tcp from any to any port 5060 -> $voip port 5060
    rdr pass on $ext_if proto tcp from any to any port 5061 -> $voip port 5061
    rdr pass on $ext_if proto tcp from any to any port 4899 -> $servidor_win port $radmin
    rdr pass on $ext_if proto tcp from any to any port 3389 -> $servidor_win port 3389
    rdr pass on $ext_if proto tcp from any to any port 5432 -> $servidor_win port 5432
    
    # Assistencia
    rdr pass on $ext_if proto tcp from any to any port 5500 -> $assistencia port $vnc
    
    # Suporte
    rdr pass on $ext_if proto tcp from any to any port 4898 -> $note_regi port $radmin
    rdr pass on $ext_if proto tcp from any to any port 5501 -> $note_regi port $vnc
    rdr pass on $ext_if proto tcp from any to any port 4897 -> $jairo port $radmin
    rdr pass on $ext_if proto tcp from any to any port 5502 -> $jairo port $vnc
    rdr pass on $ext_if proto tcp from any to any port 1723 -> $jairo port 1723
    rdr pass on $ext_if proto tcp from any to any port 5503 -> $suporte3 port $vnc
    rdr pass on $ext_if proto tcp from any to any port 5506 -> $suporte4 port $vnc
    rdr pass on $ext_if proto tcp from any to any port 4895 -> $suporte4 port $radmin
    rdr pass on $ext_if proto tcp from any to any port 5504 -> $suporte5 port $vnc
    rdr pass on $ext_if proto tcp from any to any port 5505 -> $suporte6 port $vnc
    rdr pass on $ext_if proto tcp from any to any port 5507 -> $suporte7 port $vnc
    rdr pass on $ext_if proto tcp from any to any port 5509 -> $suporte8 port $vnc
    rdr pass on $ext_if proto tcp from any to any port 5508 -> $desenvolvimento port $vnc
    
    		       
    #### Start filtering
    # Drop incoming everything
    #block in all
    pass in all               
    # Default connection refused message to client
    block return  
    
    # keep stats of outging connections
    pass out keep state
    			        
    #Squid
    pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
    pass out quick on $ext_if inet proto { tcp, udp } from any to any port www keep state
    
    # We need to have an anchor for ftp-proxy
    anchor "ftp-proxy/*"
    pass in on $ext_if proto tcp from any to 127.0.0.1 port 21 flags S/SA synproxy state
    pass in on $ext_if proto tcp from any to 127.0.0.1 port > 49151 keep state
    
    # Unlimited traffic for lo0 and VPN/Lan interface
    set skip on {lo0, $int_if}
    				   
    # activate spoofing protection for all interfaces
    block in quick from urpf-failed
    				      
    # Antispoof is a common special case of filtering and blocking. This mechanism protects #against activity from spoofed or forged IP addresses
    antispoof log for $ext_if
    				          
    #Block RFC 1918 addresses
    block drop in log (all)  quick on $ext_if from $martians to any
    block drop out log (all) quick on $ext_if from any to $martians
    					     
    # Allow outgoing via ssh, smtp, domain, www, https, whois etc
    pass out on $ext_if proto tcp to any port $tcp_services
    pass out on $ext_if proto udp to any port $udp_services
    					           
    # Allow outgoing Trace route
    pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
    
    # Allow incomming named udp / tcp 53
    pass in on $ext_if proto udp from any to any port 53 keep state
    # All tcp service protected using synproxy
    pass in on $ext_if proto tcp from any to any port 53 flags S/SA synproxy state
    # Allow http traffic
    pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy state
    # SSH
    pass in on $ext_if proto tcp from any to any port 22 flags S/SA synproxy state
    # Allow ICMP ping
    pass inet proto icmp all icmp-type $icmp_types keep state
    


    My inetd.conf.:
    Code:
    ftp	stream	tcp	nowait	root	/usr/libexec/ftpd	ftpd -l -l
    


    When I try to access ftp from external network.:
    Code:
    ftp ftp.storec.ddns.com.br
    Connected to ftp.storec.ddns.com.br.
    220 Ftp firmware update utility
    Name (ftp.storec.ddns.com.br:root): ftp
    331 Password please.
    Password:
    421 Login incorrect.
    ftp: Login failed.
    


    When I try to access ftp from local network.:

    Code:
    ftp 192.168.1.1
    Connected to 192.168.1.1.
    220 server.store FTP server (Version 6.00LS) ready.
    Name (192.168.1.1:root): ftp
    331 Guest login ok, send your email address as password.
    Password:
    230 Guest login ok, access restrictions apply.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    


    Sorry for my bad english.

    Thanks a lot

    Eduardo Orige
     
  2. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,523
    Thanks Received:
    2,351
  3. Orige

    Orige New Member

    Messages:
    66
    Thanks Received:
    0
    SirDice..I read and re-read this faq.
    I put anchors in pf, rules with nat and nothing.
    I tried several combination types of rules and don't worked.

    You can put here your pf.conf for a ftp-server?

    About the faq, my case is "PF "Self-Protecting" an FTP Server".
    So, I added more lines in my pf .:

    Code:
    pass in on $ext_if proto tcp from any to any port 21 keep state
    pass in on $ext_if proto tcp from any to any port 20 keep state
    pass in on $ext_if inet proto tcp from any to any port > 49151 keep state
    

    Even so, the same error happens.
     
  4. FryShadow

    FryShadow New Member

    Messages:
    39
    Thanks Received:
    2
    have you set this in rc.conf ?

    Code:
    ftpproxy_enable="YES"
     
  5. Orige

    Orige New Member

    Messages:
    66
    Thanks Received:
    0
    Yes.
    Code:
    ftpproxy_enable="YES"
    and
    Code:
    ftpproxy_flags=""
     
  6. Orige

    Orige New Member

    Messages:
    66
    Thanks Received:
    0
    Solved

    There have was one problem.

    First, the router that authenticates the Internet is completely open so I thought the problem is in my pf because everything is just open and just my server it has rules. I concentrated only on the firewall.
    I was wrong.
    I discovered that my router does not accept incoming connections by default to port 21, connections that were trying to pass him failed.

    Ok

    So I opened another door, 2121, and tried to make the connection.
    All right now.

    I did not need to use any kind of proxy (ftp-proxy) and anchors.
    Thanks to everyone who tried to help me.