PF Allow client to connect passive ftp´s

P

prunsebas

Hi all, anyone know how to allow my packet filter firewall to connect passive ftp´s (ftp that don´t operates with common 21 port) server?
Below I'm showing my /etc/pf.conf
Code: 
block all
pass in proto tcp to port { 22 }
pass out proto { tcp udp } to port { 22  21 53 80 123 443 }

Thanks in advance
I´m coming from Linux and I'm newbie in FreeBSD.

Sorry for my English.
 
Passive mode FTP means that the FTP server will open a random unprivileged port for the client to connect to. You'll need to allow all outbound ports from your system for that to work.

Some firewalls have a built-in application level gateway (ALG) where they monitor the FTP command connection and automatically open the required ports to make FTP active and passive modes work.

pf doesn't have an FTP ALG, and I will actively resist adding one. FTP is a horrible protocol and it's well past time for it to go away.
 
If you really need ftp I would suggest using something that allows specifying a port range, such as pure-ftpd, and choosing a fairly restrictive high range that is enough for the number of clients you expect. Then open those ports in the firewall. You can also use letsencrypt to enable ftps.

That or use file transfer over ssh.
 
There is also proftpd where you can specify the passive port range. As these ports have to be redirected, you can add in the ftp host machine /etc/sysctl.conf: net.inet.tcp.blackhole=2.
By doing this, the machine won't respond "port closed" in case your ip is being scanned.
 
I´m happy with this community , answers very quick...

yesterday i red a lot of documentation about proxy-ftp to make work my freebsd-client (is not a server) only i want to download some packages from a ftp server (not make a server like pure-ftp or something like that.)
anyone can give me an example how to configure my freebsd client to allow ftp downloads.

my scenario is only a virtualbox with only 1 network interface connected to internet at home without any firewall enterprise class connecrted.
below thas my new pf.conf.
Code: 
proxy="127.0.0.1"
proxyport="8021"
int="em0"
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass on $int proto tcp from any to any port 21 -> $proxy port $proxyport

set skip on lo0
block all
pass out proto {tcp udp} to port {22 ftp 53 80 123 443 }
pass out inet proto icmp icmp-type { echoreq }
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 21
pass in proto tcp from $proxy to any port 21
pass in proto tcp from $proxy to any port 8021
pass out proto tcp from $proxy to any port 8021
pass in proto {tcp udp} to port {21 20 8021}
pass out proto {tcp udp} to port {21 20 8021}
 
For passive FTP you only have to worry about outgoing traffic. So as long as you have a NAT rule that translates your outgoing traffic it should work. You do need to allow both 21 and port 20 for FTP. Only port 21 isn't enough.

Code: 
pass out proto {tcp udp} to port {22 ftp 53 80 123 443 }
Don't open UDP for 22 (SSH), 21 (FTP), 80 (HTTP) and 443 (HTTPS). Those protocols all work on TCP only. Only 123 (NTP) works on UDP. You also need to allow outgoing DNS requests, that happens on UDP and TCP port 53.

Code: 
rdr pass on $int proto tcp from any to any port 21 -> $proxy port $proxyport
That's for incoming FTP, if you have a FTP server running. You don't need this for outgoing FTP (FTP clients).
 
SirDice said:
For passive FTP you only have to worry about outgoing traffic. So as long as you have a NAT rule that translates your outgoing traffic it should work. You do need to allow both 21 and port 20 for FTP. Only port 21 isn't enough.
Click to expand...
A detail maybe, but TCP 21 is the listening port for the ftp command connection. TCP 20 is the source port for the data connection (in active mode). So, you need to allow incoming packets to TCP 21 and outgoing packets when the source port is TCP 20. This is often misunderstood. Don't open TCP 20 to incoming packets.
 
mmm i´ts very suspicious that nobody isn´t post pf configuration... to allow download ftp files....i´m just want do a wget ftp://ftp.jhweiss.de/pub/users/weiss/deletemail/deletemail-0.5.tar.gz

i know that the key is to spend a lot of time reading man pages or articles in handbook but any config is not working for me and i think that my scenario is not complex.
only i want a workstation connected to internet and i want to download a file via ftp with packet filter enabled (why is so hard this goal)
at the moment i´ve spent 2 days and it´s very frustrating.

In fact there´s a lot of people saying that ftp its too old (obsolete technology but there´s a lot of servers working on internet)
this people saying this, it seems to me they have the same problem with packet filter..or not ... its only a sensation
by the way , i have freebsd 12.2 release ..it is reported problems with packet filter? anybody knows?

please anyone can give me a full pf.conf allowing this..i´ll pay a beer
 
First two sentences of the first reply to your question:

> Passive mode FTP means that the FTP server will open a random unprivileged port for the client to connect to. You'll need to allow all outbound ports from your system for that to work.

You are blocking all output connections other than to ports 22 21 53 80 123 443. Change your last line to 'pass out proto { tcp udp }' and passive mode FTP will work.
 
You must log in or register to reply here.
Back
Top