PF passive ftp

J

jkuiper

I've looked on the internet everywhere. Even looked at ftp-proxy(). But I can't still figure it out.
I have FreeBSD 9x running behind a firewall. I put a few lines to pf.conf, because it's a FTP, HTTP server. HTTP works, but FTP mass up with passive transfers.
This is my configuration:
Code: 
int_if = "rl0"
lan=$int_if:network
localhost="127.0.0.1"
webserver_ip="192.168.2.5"
tcp_pass = "{80 ssh, ntp smtp 110 137 138 139 3306 ftp-proxy, ftp-data, ftp}"
udp_pass = "{ 53 110 631 }"
block_log = "{ 80 ssh }"

table <blockedips> persist file "/etc/pf.blocked.ip.conf"

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass on $int_if proto tcp from $lan to any port 21 -> 127.0.0.1 port 8021


block all
block drop in log (all) quick on $int_if from <blockedips> to any

anchor "ftp-proxy/*"
pass out proto tcp from $localhost to any port 21
pass out on $int_if proto tcp to any port $tcp_pass keep state
pass out on $int_if proto udp to any port $udp_pass keep state
pass in on $int_if proto tcp to any port $tcp_pass keep state
pass in on $int_if proto udp to any port $udp_pass keep state
pass in on $int_if proto tcp to port > 10000

set skip on lo0
I started ftp-proxy() with service ftp-proxy start put the passive lines configuration to /usr/local/etc/proftpd.conf.

Are there still problems with my firewall script or is my firewall (router from provider) blocking the passive transfers?
 
FTP is notoriously tricky when it comes to firewalls. This is because the data channel needs to be created dynamically. Problems start when both ends (client and server) are firewalled.

This has a great explanation what the problem is: http://slacksite.com/other/ftp.html
 
I'm aware of that. It's not the whole world who's using the FTP. Only me and some clients.
Offcourse I can use ssh or sftp. But with ftp I can run a script in cron.

If there's another way, please tell me.
 
jkuiper said:
But with ftp I can run a script in cron.
Click to expand...
sftp(1) is scriptable the same way.

Code: 
     -b batchfile
             Batch mode reads a series of commands from an input batchfile
             instead of stdin.  Since it lacks user interaction it should be
             used in conjunction with non-interactive authentication.  A
             batchfile of `-' may be used to indicate standard input.  sftp
             will abort if any of the following commands fail: get, put,
             reget, rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown,
             chgrp, lpwd, df, symlink, and lmkdir.  Termination on error can
             be suppressed on a command by command basis by prefixing the com-
             mand with a `-' character (for example, -rm /tmp/blah*).
 
Nice, but I need to create a remote key to login. sftp can not login with batchfile because sftp needs a password manually.
I created one and use scp instead.
 
You must log in or register to reply here.
Back
Top