[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ftp-proxy flow help

To: misc@openbsd.org
Subject: ftp-proxy flow help
From: Steve Cardinal <SCardinal@entegra-solutions.com>
Date: Sun, 1 Jun 2003 09:56:39 -0400

I've tried working with ftp-proxy on 3.0, 3.1 and now 3.3 and would like a
little more info than is available in the man page or the achives.

I have a need to begin my pf config by denying all traffic on all physical
interfaces blocking in and out on both internal and external interfaces, I
allow all traffic on loopback.
My firewall will be performing NAT for internal users. From there I will
open up just the ports I need, allowing inbound on the internal interface
and outbound on the external interface, keeping state in each case. I am
able to manage the rules for all the easy protocols, but ftp is a pain, as
you know, and I'm trying to get ftp-proxy to work in a manner I am
comfortable with.

Based on the above, I'm unclear when ftp-proxy uses the ports defined with
-m and -M.  I am also unclear if the ftp-proxy always makes an active ftp
session, even if the internal client is passive.

Inside client tries to ftp to ftp.openbsd.org. It sends a SYN to port 21
from a random high port. The firewall redirects that to 127.0.0.1:8081.  So
my first rule is (assuming the inetd.conf and rdr rules are in place and
working, and I am limiting my ports to 55000-57000)

pass in quick on $int_if proto tcp from $int_net port >1023 to 127.0.0.1
port 8081 keep state  #NAT occurs before filtering, no?

Now the ftp-proxy attempts to open a command channel to ftp.openbsd.org
from any high port to port 21 (or does it use the restricted range of
source ports?)

pass out quick on $ext_if  proto tcp from $ext_addr port >1023 to any port
21 user proxy keep state

This seems to get me through the login phase at most ftp sites (ftp-proxy
seems unable to handle some big name sites, like Dell - I'll ask about that
later)
Now I need to get a listing.

The internal client, assuming an active client (Windows CLI ftp), sends its
listening port to the server, which will reply from port 20, so I need:
pass out quick on $int_if proto tcp from any port 20 to $int_net port >1023
user proxy keep state

If the internal client is passive, I should add
pass in quick on $int_if proto tcp from $int_net port >1023 to 127.0.0.1
port 54999><57001 user proxy keep state

And the ftp-proxy needs to allow active connections to the ftp site:

pass in quick on $ext_if proto tcp from any port 20 to $ext_addr port
54999><57001 user proxy keep state

Is this correct? I seem to have difficulties with this.  Can the ftp-proxy
also do passive ftp out to the actual ftp site?

My other issue is connecting to certain sites. I and a lot of my customers
use Dell for their PC hardware. It is cheap, support is good and the
quality is acceptable. However, their ftp site has a legal notice banner
that chokes ftp-proxy.  Their banner states that, if their banner hangs or
crashes your ftp client, login using a password starting with a dash '-'.
Unfortunately, if I'm using ftp-proxy, my clients never see that message
and can't make the adjustment.  In the log on the firewall, I see 'long FTP
control reply'.  Is there a patch for ftp-proxy to make it less strict? I'm
sure you can spout RFC stuff about it, but most ftp clients do not crash
when accessing that site. Even if it is a config option that is off by
default (enable_only_if_you_are_brave=1), that would be helpful.

In 3.0, I was also unable to connect to the CA site (ftp.ca.com) and I
think it had something to do with a failure to reverse lookup the ftp site
by ftp-proxy. I haven't tried it yet since I don't currently have ftp-proxy
working correctly. Can anyone else try it and see if it is still a problem?

Thanks
Steve

Prev by Date: scsi2ide adapter not recognized as sd*
Next by Date: OpenBSD and MacOS X dualboot
Prev by thread: scsi2ide adapter not recognized as sd*
Next by thread: OpenBSD and MacOS X dualboot
Index(es):
- Date
- Thread