PF 12.2 -> 13.0 upgrade made ftp-proxy stop working

luffare

New Member


Messages: 3

I can not get ftp-proxy to work on FreeBSD 13.0, after upgrade from 12.2 it breaks.
The setup is a PF firewall doing NAT and with a ftp-proxy enabled, between a internal network and the company intranet.
A FTP client (10.223.120.110) on the internal network is trying to reach a FTP-server (131.97.51.225) on the intranet.

I upgraded some machines but all FTP fails after that.
The tcpdump -netttti pflog0 do not show any denies.

I have reduced a working [FILE/etc/pf.conf][/FILE] on 12.2 and looks like this:
Code:
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

nat pass on em1 from em0:network to any -> (em1)
rdr inet proto tcp from em0:network to any port 21 -> 127.0.0.1 port 8021

block quick inet6 all
block return in log all

anchor "ftp-proxy/*"

pass proto tcp from em0:network to 127.0.0.1 port 8021
pass proto tcp from (em1) to any port 21

It is started in /etc/rc.conf.
Code:
# PF Firewall
pf_enable="YES"
pflog_enable="YES"
gateway_enable="YES"
ftpproxy_enable="YES"

On the 12.2-RELEASE-p6 pftop -f "net 127.0.0.0/8 or host 131.97.51.225 or port 8021 or port 21 or host 10.223.120.110" givs:
Code:
pfTop: Up State 1-2/2 (2), View: default, Order: none, Cache: 10000                                            13:03:18

PR      DIR SRC                     DEST                             STATE                AGE       EXP    PKTS   BYTES
tcp     Out 10.221.31.194:32825     131.97.51.225:21        ESTABLISHED:ESTABLISHED  00:00:22  23:59:46      17    1583
tcp     In  10.223.120.110:43840    127.0.0.1:8021          ESTABLISHED:ESTABLISHED  00:00:22  23:59:46      17    1583
After that I can happily run both active and passive FTP.

But after upgrading it to 13.0-RELEASE the same pftop givs as below, the same configuration is kept.
Code:
tcp     In  10.223.120.110:37112    127.0.0.1:8021          ESTABLISHED:ESTABLISHED  00:00:01  23:59:59       3     172
The outgoing session will not start, just sitts there.

I added pass all as the last row in /etc/pf.conf in my desperation, same result however.
I search for simular problem without succsess, if not the rules it must be a redirect, or, what am I missing??
 

astyle

Aspiring Daemon

Reaction score: 375
Messages: 858

There was some discussion on FreeBSD email lists about disabling FTP altogether... Port 21 is not a secure port. I would strongly suggest exploring ways to move files using something else. As a minimum, sFTP (ftp/hsftp) or something similar.
 

diizzy

Aspiring Daemon

Reaction score: 164
Messages: 532

Do you have a rule that allows ftp-proxy to connect (if you're blocking traffic on ext_if)?

Code:
pass in quick on $ext_if inet proto tcp to ($ext_if) port ftp-data user proxy
 
OP
L

luffare

New Member


Messages: 3

Thanks for your replies, I will try your proposals when back in office tomorrow but should not the pass all I tried at the end of /etc/pf.conf take care of any missing rules?
Does 13.0 differ from 12.2 when it comes to rules, is 13.0 more rigid?

I also strongly agree that FTP is obsolete and should not be used, it is even banned to be used inhouse but it is critical and allowed exception for certain vendor communication, so what to do!
 

covacat

Well-Known Member

Reaction score: 198
Messages: 423

you can use passive ftp with vanilla nat, no proxies or special packet alteration (like libalias does)
 
OP
L

luffare

New Member


Messages: 3

Good idea, we can most probably live with passive FTP.
I guess that it solves my issue with FTP, just have to verify that our vendor can use passive, I recon that they already do it.
Thanks for an elegant and simple work around.


Additional info for others:
I did some more testing today, allowing more and more, including a pass all at the end, without any progress, I'm prety sure it's not a missing rule.

The ftp-proxy refuse to start the outgoing session, I did run ftp-proxy in the foreground and tried to see logging and debugging while running FTP.
Code:
 # /usr/sbin/ftp-proxy -d -D7 -v -v
listening on 127.0.0.1 port 8021
It just sits there, doing and telling nothing, I guess ftp-proxy is broken in 13.0.
 

astyle

Aspiring Daemon

Reaction score: 375
Messages: 858

... and the conclusion was not to do it.
The devs did have some use-cases that involved their personal systems. For enterprise-grade file movement, Microsoft's OneDrive or Google's Drive or even on-premise, public-facing ownCloud/nextCloud would be my suggestions as FTP replacements. Yeah, they're more work to set up, but they are more secure. ownCloud is in FreeBSD's ports, BTW.
 
Top