Re: running a ftp server behind a bsd box running nat

[Per-Olov Sjöholm <maillistuser+openbsd_misc_(_at_)_flowsystems_(_dot_)_se>]

I posted a possible solution to this earlier....
Here it is again....This is for passive connections (preferred).
For active you just permit your server to use high port to the internet.

/ * start posted message * /
There are a couple of things you need to do.
If you are using the OpenBSD FTP server you can do as follows to accept
passive ftp to the server on  your dmz.
(If you run the ftp server on private adresses on a dmz or an internal network
behind nat.)

1.
Modify the /etc/sysctl.conf on the ftp server and choose a passive port range
to use.
(example: net.inet.ip.porthilast=49161    # Gives a port range from 49152 to
49161)

2.
Add an extra private address to the ftp server on the dmz (the server now has
two addresses).

3.
Port forward the ports above in your fw to the second ip address on the
internal ftp server (and dont forget port 21). In the example below
192.168.1.4.
Example:
My fw runs PF on OpenBSD 3.2.
rdr on $INTERNET_INT proto tcp from any to $FW_EXT port 21 ->
$DMZ1_WAREHOUSE_2 port 21
rdr on $INTERNET_INT proto tcp from any to $FW_EXT port 49152:49161 ->
$DMZ1_WAREHOUSE_2 port 49152:*

(Don't forget to also permit the traffic...)

4.
The ftp server must return your fw:s extenal ip back to the client for the
passive connection. As far as I can see the OpenBSD server does not support
this (this is the reason for a second IP on the ftp server). But.... you can
install a firewall(well... NAT) on the ftp server and fix this through a
second loopback inteface... Here is an example I have used with ipfilter. It
should also be easy to do this in PF (I am using PF also but not on this old
machine.).
200.200.200.200 is the FW external ip in this example.

--/etc/ipnat.rules on the ftp server--
rdr ep0 from any to 192.168.1.4/32 port = 21 -> 200.200.200.200 port 21 tcp
map ep0 from 200.200.200.200/32 to any -> 192.168.1.4/32
rdr ep0 from any to 192.168.1.4/32 port = 49152 -> 200.200.200.200 port 49152 
tcp
rdr ep0 from any to 192.168.1.4/32 port = 49153 -> 200.200.200.200 port 49153
tcp
rdr ep0 from any to 192.168.1.4/32 port = 49154 -> 200.200.200.200 port 49154
tcp
rdr ep0 from any to 192.168.1.4/32 port = 49155 -> 200.200.200.200 port 49155
tcp
rdr ep0 from any to 192.168.1.4/32 port = 49156 -> 200.200.200.200 port 49156
tcp
rdr ep0 from any to 192.168.1.4/32 port = 49157 -> 200.200.200.200 port 49157
tcp
rdr ep0 from any to 192.168.1.4/32 port = 49158 -> 200.200.200.200 port 49158
tcp
rdr ep0 from any to 192.168.1.4/32 port = 49159 -> 200.200.200.200 port 49159
tcp
rdr ep0 from any to 192.168.1.4/32 port = 49160 -> 200.200.200.200 port 49160
tcp
rdr ep0 from any to 192.168.1.4/32 port = 49161 -> 200.200.200.200 port 49161
tcp

--/etc/hostname.lo1 on the ftp server--
inet 200.200.200.200 255.255.255.255 NONE


It is alot easier if the ftp server supports to return the FW external ip
directly. Then there is no need to set up an extra IP on the ftp server.

This is it !
It works for me....

Regards
Per-Olov Sjöholm
/ * end posted message * /




Regards
Per-Olov Sjöholm
Flowsystems AB
www.flowsystems.se



> Anyone

>            I am having trouble configuring my bsd box to allow
> connections to my ftp server that is behind the openBSd firewall

> I have read a few articles and none have worked.  So far this is the
> best I get.



> I have this line in my inetd.conf

> ftp stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -R
> 192.168.1.2

> I have a few lines in my pf.conf but nothing seems to work can someone
> please help me get this set up ?  I am desperate and can not find
> anything that is specific to my needs.



> Thank you,

> Matthew Ruder

> STI-Illinois