Hello.
I'm trying to setup an ftp-proxy (pftpx) with PF.
I have set up the nat anchors and rdr in pf.conf.
My setup:
The client in internet: 52.125.11.51
PF External IP address: 81.157.22.26
FTP Server: 192.168.1.10
The rules in pf added by pftpx:
Proftpd ouput:
FTP Client:
PFTPX output:
As you can see, pftpx adds correct rules in PF, but the client's IP (52.125.11.51) isn't nated (proftpd complains: Passive connection from 52.125.11.51 rejected). The packets from the client are being redirected to ftp server, but the nat rule isn't applied to them.
I'm trying to setup an ftp-proxy (pftpx) with PF.
I have set up the nat anchors and rdr in pf.conf.
My setup:
Code:
+-------------+
| INTERNET |
+-------------+
|
|
|
+-------------+
| PF |
| pftpx |
+-------------+
|
|
|
+-------------+
| PRFTPD |
+-------------+
The client in internet: 52.125.11.51
PF External IP address: 81.157.22.26
FTP Server: 192.168.1.10
The rules in pf added by pftpx:
Code:
# pfctl -v -a `pfctl -sA -v | grep -v "pftpx$"` -sr; pfctl -vvv -a `pfctl -sA -v | grep -v "pftpx$"` -sn
pass in log quick inet proto tcp from 52.125.11.51 to 192.168.1.10 port = 65186 flags S/FSRA keep state (max 1)
[ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ]
pass out log quick inet proto tcp from 192.168.1.10 to 192.168.1.10 port = 65186 flags S/FSRA keep state (max 1)
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@0 nat inet proto tcp from 52.125.11.51 to 192.168.1.10 port = 65186 -> 192.168.1.10
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@0 rdr inet proto tcp from 52.125.11.51 to 81.157.22.26 port = 53266 -> 192.168.1.10 port 65186
[ Evaluations: 3 Packets: 2 Bytes: 80 States: 1 ]
Code:
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_tls
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_rewrite
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching CMD command 'EPSV' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - in dir_check_full(): path = '/', fullpath = '/usr/home/www/test_dir/'.
domain.com (192.168.1.10[192.168.1.10]) - ROOT PRIVS at inet.c:237
domain.com (192.168.1.10[192.168.1.10]) - RELINQUISH PRIVS at inet.c:254
domain.com (192.168.1.10[192.168.1.10]) - Entering Extended Passive Mode (|||65186|)
domain.com (192.168.1.10[192.168.1.10]) - dispatching POST_CMD command 'EPSV' to mod_sql
domain.com (192.168.1.10[192.168.1.10]) - dispatching LOG_CMD command 'EPSV' to mod_sql
domain.com (192.168.1.10[192.168.1.10]) - dispatching LOG_CMD command 'EPSV' to mod_log
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_tls
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_rewrite
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_ratio
domain.com (192.168.1.10[192.168.1.10]) - dispatching CMD command 'LIST' to mod_ls
domain.com (192.168.1.10[192.168.1.10]) - SECURITY VIOLATION: Passive connection from 52.125.11.51 rejected.
FTP Client:
Code:
230 User test_user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||53266|)
421 Service not available, remote server has closed connection.
ftp>
ftp> ^D
PFTPX output:
Code:
#1 server: 230 User test_user logged in\r\n
#1 client: SYST\r\n
#1 server: 215 UNIX Type: L8\r\n
#1 client: FEAT\r\n
#1 server: 211-Features:\n
#1 server: MDTM\n
#1 server: MFMT\n
#1 server: MFF modify;UNIX.group;UNIX.mode;\n
#1 server: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;\n
#1 server: REST STREAM\n
#1 server: SIZE\r\n
#1 server: 211 End\r\n
#1 client: PWD\r\n
#1 server: 257 "/" is the current directory\r\n
#1 client: EPSV\r\n
#1 server: 229 Entering Extended Passive Mode (|||65186|)\r\n
#1 passive: client to server port 65186 via port 53266
#1 proxy: 229 Entering Extended Passive Mode (|||53266|)\r\n
#1 client: LIST\r\n
^Cpftpx exiting on signal 2
#1 ending session
As you can see, pftpx adds correct rules in PF, but the client's IP (52.125.11.51) isn't nated (proftpd complains: Passive connection from 52.125.11.51 rejected). The packets from the client are being redirected to ftp server, but the nat rule isn't applied to them.