[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf proxy support

To: <misc@openbsd.org>
Subject: pf proxy support
From: "Paul B. Henson" <henson@acm.org>
Date: Tue, 23 Jul 2002 19:47:57 -0700 (PDT)

one feature of ipf I use is proxy support, particularly the FTP proxy
although there are other proxies. I am trying to see how I would achieve
the same functionality utilizing pf.

In ipf, the proxies utilize the NAT engine and run in kernel space. They
parse the protocol between the client and server and dynamically create
appropriate state entries allowing the traffic to flow.

For example, the NAT entry:

	map sk1 0/0 -> 0/0 proxy port ftp ftp/tcp

results in all FTP connections routed through interface sk1 to go through
the FTP proxy. Combined with a filter rule such as:

	pass out quick on sk1 from any to any port = 21 flags S keep state

systems behind this firewall would be able to successfully complete both
passive and active FTP transactions.  In the case of active, the proxy
would automatically create an appropriate state entry allowing the server
to connect back to the client on the negotiated port. In the case of
passive, an appropriate state entry would be created allowing the client to
connect to the server on the negotiated port.

This is transparent to the client and minimizes any illegitimate traffic.
Also, it works on a bridging firewall implementation.

if I understand correctly, proxy support with pf is implemented via
redirecting connections to a proxy server running in user space. according
to the documentation for ftp-proxy, you need to add in broad rule such as:

	pass  in on xl1 proto tcp from any to xl1 port > 49151 keep state

in order to get it to work, allowing possible connection attempts that are
not actually associated with a given FTP session. This method also seems
incompatible with a bridging firewall, as the user space proxy needs an IP
address on the interface.


Is there any way to implement a proxy system such as supplied by ipf
utilizing pf? I would prefer to only allow connections associated with an
active proxy session as opposed to opening up a large number of ports for
inbound connections.

Thanks...


-- 
Paul B. Henson  |  (909) 869-3781  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

Follow-Ups:
- Re: pf proxy support
  - From: Theo de Raadt <deraadt@cvs.openbsd.org>

Prev by Date: non-exec stack
Next by Date: Re: pf proxy support
Prev by thread: Re: non-exec stack
Next by thread: Re: pf proxy support
Index(es):
- Date
- Thread