Solved Cannot separate the pass on from the redirect

fred974

fred974

Hi,

I have an FTP server inside a jail and when I use this following rules, I can access the FTP server and see all files
Code: 
ExtIf   = "bce0"
JailIf  = "lo1"
ftp_ext= "91.203.xx.xxx"
ftp_int= "10.8.20.12"

# NAT Rules
nat on $ExtIf from $JailIf:network  to any -> ($ExtIf)
nat on $ExtIf from { $ftp_int } to any -> $ftp_ext

# --- redirect ftp traffic to the internal ftp server ---#
rdr pass on $ExtIf inet proto tcp from any to $ftp_ext port 21 -> $ftp_int port 21
rdr pass on $ExtIf inet proto tcp from any to $ftp_ext port 49000:51000 -> $ftp_int

# --- pass outgoing ftp traffic ---
pass out quick log on $JailIf inet proto tcp from any to $ftp_int port 21 keep state tag FTP label "ftp"
pass out quick log on $JailIf inet proto tcp from any to $ftp_int port 49000:51000 keep state tag FTP_PASV label "ftp-passive"
but When I tried to have more defined controle and separate the pass from the rdr line, I am not longer able to establish the connection.. Here is my new converted code:
Code: 
rdr on $ExtIf inet proto tcp from any to $ftp_ext port 21 -> $ftp_int port 21
rdr on $ExtIf inet proto tcp from any to $ftp_ext port 49000:51000 -> $ftp_int
pass in log on $ExtIf inet proto tcp  from any to $FtpExt port 21
pass in log on $ExtIf inet proto tcp  from any to $FtpExt port 49000:51000
pass out quick log on $JailIf inet proto tcp from any to $ftp_int port 21 keep state tag FTP label "ftp"
pass out quick log on $JailIf inet proto tcp from any to $ftp_int port 49000:51000 keep state tag FTP_PASV label "ftp-passive"
Could someone please tell me why the second method is not working?

Thank you
 
Hi, I'm familiar mostly with OpenBSD's PF version however there are a few things happening that might be causing your issue:

1. Your prior rdr rules did not specify direction and so {in, out} is implied with just "pass". The new rule is "pass in" and so you might need to add a "keep state" at the end to allow responses. This sets the state of hosts that pass so outgoing replies from your jail will also pass back through the PF. I don't know if "keep state" is already default on all rules in FreeBSD's version of PF or not.

2. You might have a typo in your macro names for the pass rules. They went from $ftp_ext to $FtpExt (maybe they eval to the same things but maybe double check that they do).

3. It looks like you might need to evaluate the pass rules for incoming traffic before redirecting that traffic. If you redirect first it seems like your pass rules no longer match.

Maybe try this and see if it works for you:

Code: 
pass in log on $ExtIf inet proto tcp  from any to $ftp_ext port 21 keep state
pass in log on $ExtIf inet proto tcp  from any to $ftp_ext port 49000:51000 keep state

rdr on $ExtIf inet proto tcp from any to $ftp_ext port 21 -> $ftp_int port 21
rdr on $ExtIf inet proto tcp from any to $ftp_ext port 49000:51000 -> $ftp_int

pass out quick log on $JailIf inet proto tcp from any to $ftp_int port 21 keep state tag FTP label "ftp"
pass out quick log on $JailIf inet proto tcp from any to $ftp_int port 49000:51000 keep state tag FTP_PASV label "ftp-passive"

Cheers!
 
You must log in or register to reply here.
Back
Top