[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
scratch that FTP-Proxy problem
Hell0-
Sorry about that-- seems to be working again----
now I have a different problem --- pf keeps blocking my pasv connections!
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Jun 24 10:00:48.192773 rule 5/0(match): block out on tun0:
64.223.38.3.63962 > 129.128.5.191.42037: S 3294053906:3294053906(0) win
16384 <mss 1452,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 652425316 0>
(DF)
Jun 24 10:00:48.192996 rule 6/0(match): block in on tun0:
129.128.5.191.42037 > 64.223.38.3.63962: R 0:0(0) ack 3294053907 win 0
even though I have these rules in my pf.conf:
pass in quick on $Ext inet proto tcp from any to any port > 49151 flags
S/SA kee
p state
pass out quick on $Ext inet proto tcp from any to any port > 49151 flags
S/SA ke
ep state
Here's my full pf.conf:
bash-2.05a# more pf.conf
#--------------------------------------------------------------------------
# PF ruleset, 11 dec. 2001
#
# Liberally adapted from the pf man page, the OpenBSD "Network How-To",
# and my own rulesets.
#--------------------------------------------------------------------------
#--------------------------------------------------------------------------
# Definition
Ext = "tun0" # External interface
Int = "xl0" # Internal interface
Int2 = "dc0" # DMZ
Loop = "lo0" # Loopback interface
IntNet="192.168.0.1/24" # Internal network
NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
255.255.255
.255/32 }"
FTPPORTS="{ 65151 >< 65160 }"
InServicesTCP = "{ ftp, ssh, smtp, auth, http, https, pop3 }"
#InServicesUDP = "{ domain }"
OutServicesTCP = "{ http, https, smtp, pop3, whois, domain, ssh, telnet,
ftp, ft
p-data, nntp, auth, ntp }"
OutServicesUDP = "{ ntp, domain }"
XMMS = "{ 6000, 7500, 8000, 8004, 8044, 8034, 8052, 8038, 8010, 8400,
8014, 8026
, 8048, \
8002, 8024, 8028, 8080 }"
RealAudio = "{ 554, 7070, 8080 }"
#--------------------------------------------------------------------------
#--------------------------------------------------------------------------
# Clean up fragmented and abnormal packets
# By default in pf, packets which contain IP options are blocked. Good.
scrub in on { $Ext, $Int, $Int2 } all
#--------------------------------------------------------------------------
#-------------------------------------------------------------------------
# Defaults
# block and log everything
block out log on $Ext all
block in log on $Ext all
block return-rst out log on $Ext proto tcp all
block return-rst in log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in log on $Ext proto udp all
block in quick inet6 all
block out quick inet6 all
#-------------------------------------------------------------------------
#--------------------------------------------------------------------------
# loopback packets left unmolested
pass in quick on $Loop all
pass out quick on $Loop all
#--------------------------------------------------------------------------
#-------------------------------------------------------------------------
# Immediate blocks
# fuzz any 'nmap' attempt
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
# don't allow anyone to spoof non-routeable addresses
block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute
# silently drop broadcasts (cable modem noise)
block in quick on $Ext from any to 255.255.255.255
#-------------------------------------------------------------------------
#-------------------------------------------------------------------------
# PASS rules
# ALL -- we don't normally do that. For debugging only.
#pass out quick on $Ext all keep state
# pass in data mode connections for ftp-proxy running on this host.
pass in log quick on $Ext inet proto tcp from any to any port $FTPPORTS
flags S/
SA keep state
pass in quick on $Ext inet proto tcp from any to any port > 49151 flags
S/SA kee
p state
pass out quick on $Ext inet proto tcp from any to any port > 49151 flags
S/SA ke
ep state
# ICMP
pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep
state
pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
# Services we provide to the outside world
#pass in quick on $Ext inet proto udp from any to any port $InServicesUDP
keep s
tate
# ICMP
pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep
state
pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
# Services we provide to the outside world
#pass in quick on $Ext inet proto udp from any to any port $InServicesUDP
keep s
tate
pass in log quick on $Ext inet proto tcp from any to any port
$InServicesTCP fla
gs S/SA keep state
# Standard services we want to access in the world
pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP
keep
state
pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP
flags
S/SA modulate state
# Special services
#pass out quick on $Ext inet proto tcp from any to any port $XMMS flags
S/SA mod
ulate state
#pass out quick on $Ext inet proto tcp from any to any port $RealAudio
flags S/S
A modulate state
-steve