[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s

To: Adam Herscher <adam@xtime.com>
Subject: Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
From: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Sun, 10 Mar 2002 02:41:10 +0100
Cc: "'misc@openbsd.org'" <misc@openbsd.org>
Content-Disposition: inline
References: <20020309015253.A11563@insomnia.benzedrine.cx> <Pine.GSO.4.10.10203091511520.17751-100000@sundev1>
User-Agent: Mutt/1.2.5.1i

On Sat, Mar 09, 2002 at 05:01:18PM -0800, Adam Herscher wrote:

> Let's say 64.1.1.1 is part of a /29.  The router routes the entire /29 to
> the firewall, which routes it to a network of machines on the inside.  It
> would be impossible to actually number the outside interface 64.1.1.1 and
> at the same time route the /29 to the other side.  You could break up the
> /29, but then you would have significantly less useable addresses.

I guess I'd use two different machines in that case, a (transparent)
bridge right after the router to do the firewalling, and a NAT gateway
between the workstations with private addresses and the firewall. This
wouldn't require subnetting the /29 and I could use the remaining
routable addresses for a DMZ behind the firewall. But I don't want to
tell you what to do, if you know what you're doing :)

> Since I sent out my original email raising the issue yesterday (Friday
> afternoon), I did receive a response from someone in the same situation.
> ipf used to handle this scenario seamlessly, but pf+ftp-proxy will require
> a workaround (perhaps the option to set the source ip address, or to read
> the active nat rules and adjust accordingly).

There's two issues with ftp-proxy in your case. First, it has to replace
the address in the control connection correctly. An additional command
line option would do, if it's static. Reading the active nat rules with
the DIOCGETNATS/GETNAT ioctls would be possible, though it can get
tricky to find the relevant rule if there are several. Another approach
would be to use DIOCNATLOOK to fetch the gateway address (64.1.1.1)
given the local and external addresses of the existing control
connection.

Secondly, you probably have to redirect connections to 64.1.1.1 to the
external address of the firewall, or they won't connect to ftp-proxy's
listening socket there. Since the port is random, you might have to
redirect the whole range of possible ports (or all ports). An rdr rule
in nat.conf could do that.

If you need help with the pf ioctls, take a look at pf(4), and feel free
to ask.

Daniel

Follow-Ups:
- Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
  - From: Richard Welty <rwelty@averillpark.net>

References:
- Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
  - From: Daniel Hartmeier <daniel@benzedrine.cx>
- Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
  - From: Adam Herscher <adam@xtime.com>

Prev by Date: Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
Next by Date: Re: panic on 3.0
Prev by thread: Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
Next by thread: Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
Index(es):
- Date
- Thread