PF with incoming FTP connections

B

bloodhound

Hello,

I have a serious problem with the FTP server.

Basically my connection is:

Code: 
Public ip Firewall -> Public Ip FTP SERVER (DMZ)
       |
       |
Local Lan Private ip

From my local lan i can go to the FTP server, but from outside of my network i cannot

On /etc/sysctl.conf i have:

Code: 
net.inet.ip.portrange.first=32768
net.inet.ip.portrange.last=49151
net.inet.ip.portrange.hifirst=49152
net.inet.ip.portrange.hilast=65535


This is a very small fragment of my pf.conf:
Code: 
tcp_services = "{www, smtp, domain, pop3, auth, https, pop3s, ftp, ftp-data, 1863, 5000, 5050, 5100, 5222, ssh, 2703, 465, 587}"

tcp_wan1 = "{auth, www, domain, pop3, https, pop3s, 5000, 465, 10000, 587, 993 }"

block in log all
antispoof quick for {$if_int $if_ext}



# Firewall -> Any (Outgoing). 

#pass out quick proto tcp from any to any flags S/SAFR keep state
pass out quick from any to any keep state

FTP = my ftp server
pass in quick on $if_ext proto tcp from any to $FTP port $tcp_wan1 flags S/SAFR keep state
pass in quick on $if_ext proto tcp from any to $FTP port 21 flags S/SAFR keep state
pass in quick on $if_ext proto tcp from any to $FTP port > 32768 flags S/SAFR keep state

pass in quick on $if_pub proto tcp from any to any port $tcp_services flags S/SAFR keep state

If anyone could help me with the insane FTP would be greatly appreciated.
 
Even if you don't use NAT FTP uses random ports for the data transfer. This is somewhat difficult to firewall.
 
I tried the lines from Openbsd... at the moment i don't know if it is working, since i only tested it from a network and it was working from there.

But after i added the rules, clients were not able to connect to outside FTP.

Do i have to run 2 ftp-proxy processes ? 1 with the flags and 1 with a redirect to 127.0.0.1 21 ?
 
bloodhound said:
But after i added the rules, clients were not able to connect to outside FTP.

Do i have to run 2 ftp-proxy processes ? 1 with the flags and 1 with a redirect to 127.0.0.1 21 ?
Click to expand...
You will need two ftp-proxy instances, yes.
 
I must be doing something wrong...

since i use this from openbsd (with my ip's ofc):

Code: 
ftpproxy_flags="-R 10.10.10.1 -p 21 -b 192.168.0.1" 
ext_ip = "192.168.0.1"
ftp_ip = "10.10.10.1"

nat-anchor "ftp-proxy/*"
nat on $ext_if inet from $int_if -> ($ext_if)
rdr-anchor "ftp-proxy/*"

pass in on $ext_if inet proto tcp to $ext_ip port 21 \
    flags S/SA keep state
pass out on $int_if inet proto tcp to $ftp_ip port 21 \
    user proxy flags S/SA keep state
anchor "ftp-proxy/*"

The Ftp is not working at all from outside , at least before i had some connections.
 
You must log in or register to reply here.
Back
Top