[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf, ftp-proxy, default deny, 421 Service not avaiable
I see you're only passing ports >1023. Passive FTP uses those for the
data connections, but you still need to allow port outbound port 21
access. That's the control connection. Check out
http://www.openbsd.org/faq/pf/ftp.html
Craig Skinner wrote:
> Hi there,
>
> I'm having bother mixing pf, ftp-proxy, passive outbound ftp, and a
> default deny rule set on 3.5.
>
> Here's the relevant bits of /etc/pf.conf, which I've been gradually
> loosening up as I went:
>
>
>
> nat on $ext_if inet from $int_fw to any -> ($ext_if:0) static-port
>
> rdr pass on $int_if inet proto tcp from $int_fw port > 1023 \
> to port ftp -> 127.0.0.1 port 8021
>
> block all
>
> # ftp out from ftp-proxy and local machine, allow pasive ftp out
> #http://www.aei.ca/~pmatulis/pub/obsd_ftp.html
> # (I think he's got his -n flag & passvie/active muddled when looking
> # at the ftp-proxy man page)
> pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
> to any port ftp modulate state
> #to any port ftp flags S/AUPRFS modulate state
> #to any port ftp flags S/AUPRFS user {proxy craig} modulate
> state
>
> #pass out log on $ext_if inet proto tcp from ($ext_if) port > 49151 \
> pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
> to any port > 1023 modulate state
> #to any port > 1023 flags S/AUPRFS modulate state
> #to any port > 1023 flags S/AUPRFS user proxy modulate state
>
> #pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
> #to any port > 1023 flags S/AUPRFS user craig modulate state
> #to any port > 1023 flags S/AUPRFS modulate state
>
>
> pass in log on $int_if inet proto tcp from $int_fw port > 1023 \
> to any port ftp modulate state
>
>
> pass in log on $int_if inet proto tcp from $int_fw port > 1023 \
> to any port > 1023 modulate state
> #to any port > 1023 user proxy modulate state
> #to any port > 1023 flags S/AUPRFS modulate state
> #to any port > 1023 flags S/AUPRFS user proxy modulate state
>
>
>
>
> /etc/inetd.conf
>
> 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy
> ftp-proxy -t 300 -A -u proxy
>
>
> After each edit I do:-
>
> # pfctl -F all
> rules cleared
> nat cleared
> 0 tables deleted.
> altq cleared
> 5 states cleared
> source tracking entries cleared
> pf: statistics cleared
> #
> #
> # pfctl -f /etc/pf.conf
> #
> # kill -HUP `cat /var/run/inetd.pid `
>
>
>
> And then on an internal host:-
>
> [craig@localhost craig]$ ftp -d ftp.openbsd.org
> Connected to ftp.openbsd.org (129.128.5.191).
> 220-
> 220- Welcome to SunSITE Alberta
> 220-
> 220- at the University of Alberta, in Edmonton, Alberta, Canada
> 220-
> 220-All connections to and transfers from this server are logged. If
> 220-you do not like this policy, please disconnect now.
> 220-
> 220-You may want to grab the index file called "ls-lR.gz" in /pub. It
> is
> 220-updated nightly with the contents of the ftp tree.
> 220-
> 220- If you have any questions, hints, or requests, please email
> 220-
> 220- sunsite@sunsite.ualberta.ca
> 220-
> 220
> Name (ftp.openbsd.org:craig): ftp
> ---> USER ftp
> 331 Who are you impersonating today?
> Password:
> ---> PASS XXXX
> 230-
> 230- Welcome to Sunsite Alberta
> 230- Login Successful.
> 230 Your data rate unrestricted
> ---> SYST
> 215 UNIX Type: L8
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> pwd
> ---> PWD
> 257 "/"
> ftp> ls
> ftp: setsockopt (ignored): Permission denied
> ---> PASV
> 227 Entering Passive Mode (192,168,186,250,255,128)
> ---> LIST
> 421 Service not available, remote server has closed connection
> ftp> quit
> [craig@localhost craig]$
>
>
> The ftp-proxy man page states: "Without this flag (-n), ftp-proxy does
> not require any IP forwarding or NAT beyond the rdr necessary to capture
> the FTP control connection."
>
> What am I doing wrong???
>
> Cheers,
> Craig.