ftp/fetch to world behind Router NAT as well as PF

zeissoctopus

zeissoctopus

Hello all, may you give me any advices to my PF settings according to FTP client behind PF.

Just one simple aim

My freebsd base and jails can ftp/fetch smoothly behind PF during installing ports.
It do not provide any ftpd service.

Networking enviroment

1. 7.2R-p4 FreeBSD is behind router's NAT
2. FreeBSD have one NIC only
3. FreeBSD have three service jails for web, pgsql, sendmail
4. I put FreeBSD base and all jails behind base's PF by ip base rules on the NIC
5. Outside world connect to my web, sendmail by router's port forwarding feature.

Hence, my base ,serivce jails are behind PF and router' NAT

Disable PF it can ftp, but fail after enable PF

This prove me that networking is ok. The problem is PF configuration.

I want to use ftp-proxy but never success

OpenBSD PF FAQ, Issues with FTP, section FTP Client behind the firewall
http://www.openbsd.org/faq/pf/ftp.html

I follow this instrustion but never success. I guess it is casued by my
networking environment, only One NIC and the FreeBSD is behind router's NAT.
The sample config code from this FAQ is not suitable to my scenario.

Using rdr + filter rule, I can ftp with PF

Now, I redirect ftp port from FreeBSD base / jails to router ip directly.
Adding outcoming filter to permit ftp ports out from target
Adding incoming filter to accept remote ftp come to target

PF code according to FTP
Code: 
my_if="em0"
my_router="192.168.1.1"
base_ip="192.168.1.7"
jail_httpd="192.168.1.50"

rdr pass on $my_if inet proto { tcp udp } from $base_ip to \
                   any port ftp -> $my_router port 55021
rdr pass on $my_if inet proto { tcp udp } from $base_ip to \
                   any port ftp-data -> $my_router port 55020

rdr pass on $my_if inet proto { tcp udp } from $jail_httpd to \
                   any port ftp -> $my_router port 55031
rdr pass on $my_if inet proto { tcp udp } from $jail_httpd to \
                   any port ftp-data -> $my_router port 55030
                   
pass out quick on $my_if inet proto tcp from \
                  { $my_ip, $jail_httpd } to any port { ftp, ftp-data }

pass in quick on $my_if inet proto tcp from any to \
                 { $my_ip, $jail_httpd, $jail_pgsql, $jail_mail } \
                 port >49152
With above list, rdr rules and filter rules, I can passive ftp from base
or from jails which are behind PF as well as router' NAT

Some questions

1. question about ftp-proxy

Can ftp-proxy solve my ftp problem too ?

2. question about ip.port.range

My FreeBSD 7.2R-p4 amd64 portrange values
Code: 
   net.inet.ip.portrange.randomtime: 45
   net.inet.ip.portrange.randomcps: 10
   net.inet.ip.portrange.randomized: 1
   net.inet.ip.portrange.reservedlow: 0
   net.inet.ip.portrange.reservedhigh: 1023
   net.inet.ip.portrange.hilast: 65535
   net.inet.ip.portrange.hifirst: 49152
   net.inet.ip.portrange.last: 65535
   net.inet.ip.portrange.first: 49152
   net.inet.ip.portrange.lowlast: 600
   net.inet.ip.portrange.lowfirst: 1023
Is it safe to rdr / pass in 49152:65535 port range ?
 
Code: 
tcp_services ="{http ,21 ,https}"
block in log all
pass out log inet proto tcp from any to any port 21
pass out log inet proto tcp from any to any port > 1023
pass out proto tcp to any port $tcp_services
this may help you .
 
solved

Finally, I replace my router with a Soekris embedded x86 board.

I install OpenBSD and configure PF in soekris.

FreeBSD PC with 1 NIC works for httpd, sendmail servers in jails. I disable PF in this FreeBSD.

Every PC, Notebook, FreeBSD jails behind new Soekris PF firewall work fine. I just follow PF handbook and it works.
 
You must log in or register to reply here.
Back
Top