[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP dies durring connection when redirected through firewall

http://www.openbsd.org/faq/pf/ftp.html

FTP has some strange properties which make it a bit of a bitch to work through
firewalls.

--
Chris

On Thu, Feb 12, 2004 at 01:44:08PM -0500, Teren wrote:
> Hi, I have an openbsd 3.4 firewall setup for a small network with an ftp
> server (10.20.0.2 running on port 1091). My problem is that I can connect to
> the FTP server when i'm inside the internal network, but If somebody from the
> outside tries to connect, the forwarding works and everything but part way
> through while the client is trying to connect, the connection dies and I can't
> figure out why. Here is the pf.conf
> 
> # Network interfaces (Remember, if using PPPoE the ext. interface is tun0)
> internal = "dc0"
> external = "dc1"
> unsafe = "{ dc1 }"
> 
> # Services visible from the outside . remove any you're not using
> services = "{ ssh, http, https, smtp, domain, 81, 1091, 3389, 1092 }"
> 
> # Non-routable IP numbers
> nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
>     0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3,
>     255.255.255.255/32 }"
> 
> # All rules are "quick" so go strictly top to bottom
> 
> # Fix fragmented packets
> scrub in all
> 
> # Create two packet queues: one for regular traffic, another for
> # high priority: TCP ACKs and packets with ToS 'lowdelay'
> altq on $external priq bandwidth 125Kb queue { highpri_q, default_q }
> queue highpri_q priority 7
> queue default_q priority 1 priq(default)
> 
> 
> # NAT
> 
> # AFTER REDIRECTION UPDATE, pfctl -f /etc/pf.conf
> 
> # Redirections
> rdr on $external inet proto tcp to port 81 -> 10.20.0.2 port 81
> rdr on $external inet proto tcp to port 1091 -> 10.20.0.2 port 1091
> rdr on $external inet proto tcp to port 3389 -> 10.20.0.5 port 3389
> rdr on $external inet proto tcp to port 22 -> 10.20.0.2 port 1092
> 
> 
> # NAT: we need a rule for the inside network as well as the wireless.
> nat on $external from 10.20.0.0/24 to any -> $external
> pass in quick on $external inet proto tcp from any to 10.20.0.2 keep state
> 
> pass out quick on lo0 from any to any
> pass in quick on lo0 from any to any
> 
> pass out quick on $internal from any to any
> pass in quick on $internal from any to any
> 
> block in log quick on $unsafe inet proto icmp from any to any icmp-type redir
> block in quick on $external from $nonroutable to any
> block out quick on $external from any to $nonroutable
> 
> pass in quick on $unsafe inet proto icmp from any to any icmp-type { \
>     echorep, echoreq, timex, unreach }
> block in log quick on $unsafe inet proto icmp from any to any
> 
> # Allow TCP Ports
> pass in quick on $external inet proto tcp from any to any port $services \
>      flags S/SA keep state queue (default_q, highpri_q)
> 
> 
> 
> # Allow UDP Ports
> pass in quick on $unsafe inet proto udp from any to any port domain
> 
> pass in quick on $external inet proto tcp from any to any port 1091
> 
> pass out quick on $external inet proto tcp from any to any \
>      flags S/SA keep state queue (default_q, highpri_q)
> pass out quick on $external inet proto udp  all keep state
> pass out quick on $external inet proto icmp from any to any keep state
> 
> 
> block return-rst in log quick on $unsafe inet proto tcp from any to any
> block return-icmp in log quick on $unsafe inet proto udp from any to any
> block in quick on $unsafe all
> 
> 
> Please let me know if you have any ideas. Thanks