Re: FTP Re-Direct via local FTP-Proxy does not work....

[forums <forum_(_at_)_vanleeuwen_(_dot_)_nl>]

Hi,

Yep, in fact, all IP address on the box are public ip address, so, on the
outside AND on the inside, as well as the back fw.

I am trying to see stuff with the log function in pf (thanks for that little
tip Stuart (in the other reply mail, that does come in handy)

I do see the traffic leaving the firewall :

Feb 08 09:05:56.064877 rule 10/0(match): pass out on fxp0: <my ext ip>.63288
> 208.254.18.148.21: S 482087809:482087809(0) win 16384 <mss
1460,nop,nop,sackOK,[|tcp]> (DF)

and do see it getting back in as well :

Feb 08 09:05:56.943430 rule 13/0(match): pass in on fxp0: 208.254.18.148.20
> <my ext ip>.51010: S 2274595844:2274595844(0) win 5840 <mss
1460,sackOK,timestamp[|tcp]> (DF)

I also see the ftp-proxy session starting when I try to connect to a FTP
site with ps -aux | grep :

proxy    10358  0.0  0.1   164   628 ??  Ss     5:18PM    0:00.00 ftp-proxy

So that looks all quite normal, what i dont really see, how to i monitor the
internal nic ?

I use the rdr pass option to redirect incoming port 20 traffic to the local
interface 127.0.0.1 like so :

rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021

As I understand from the FAQ, using the PASS option will bypass the pf rules
at that time...(correct ?).
When I do a tcpdump -i xl0 (internal nic) then I dont see the incoming
traffic...now, i think that is strange
as it would arrive there first before being redirect to 127.0.0.1 right ?
Also, when I monitor the lo0 (local loopback)
i dont see anything entering the system (tcpdump -i lo0)

but as i DO see traffice leaving the external nic, and see the process
starting, it IS comming in somewhere....
When I disable pf, I DO see it coming in on the internal nic XL0...(as there
is no rdr done as well then)

On my internal NIC i have :

# Allow traffic from and to Back-Firewall (ISA) via $int_if1
pass in on $int_if1 from <ip back fw> to any
pass out on $int_if1 from any to <ip back fw>

I even changed it to :

# Allow traffic from and to Back-Firewall (ISA) via $int_if1
pass in on $int_if1 from any to any
pass out on $int_if1 from any to any

but still no sigar....

I am at a loss here really....why dont i see the incoming traffic (port 20)
the moment I activate pf (with the rdr pass) with tcpdump ?






-----Oorspronkelijk bericht-----
Van: Stefan Kell [mailto:skba_(_dot_)_opbsd_(_at_)_gmx_(_dot_)_de] 
Verzonden: maandag 7 februari 2005 21:32
Aan: forums
CC: misc_(_at_)_openbsd_(_dot_)_org
Onderwerp: Re: FTP Re-Direct via local FTP-Proxy does not work....

Hi,

hm, is ext_if connected directly to the internet, I mean does it have a
public IP-Adresse, which can be connected to from the outside world? If not
ftp-proxy cannot work because it sends it's own ip-address to the ftp-server
as destination for the data-connection. And this doesn't work if it is
192.168.1.1 for example.

Regars

Stefan Kell

On Mon, 7 Feb 2005, forums wrote:

> Hi,
>
> when I start a FTP session from a client, and then do
>
> #ps -aux | grep ftp-proxy
>
> I get
> proxy     2461  0.0  0.1   180   620 ??  Is     5:35PM    0:00.00
ftp-proxy
>
> So, it does start....
>
> but my client never gets the FTP site and the process is gone after a 
> minute or so.
>
> Checking /etc/group....proxy is user 71 so thats correct...
> pf comes up with that number itself, as i give just the name :
>
> pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy 
> flags S/SA keep state
>
> so, it must kinda be a pf block rule somewhere then i think....this is 
> what i have at the moment :
>
> 	# Make FTP traffic be re-routed to a local ftp proxy
> 	rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021
>
> 	# Here the real rules begin
> 	#
> 	block in  all
> 	block out all
> 	block return-rst in log on $ext_if inet proto tcp from any to any
> port=113
>
> 	pass quick on { lo } all
> 	antispoof quick for { $int_if1 } inet
>
> 	# Allow traffic from and to Back-Firewall via $int_if1
> 	pass in  on $int_if1 from <ip back fw> to any
> 	pass out on $int_if1 from any to <ip back fw>
>
> 	# Allow traffic out towards internet ($ext_if) but with a state
> 	pass out on $ext_if proto { tcp, udp, icmp } all modulate state
flags 
> S/SA
>
> 	# Allow incoming FTP traffic from the internet when gestart vanuit
de 
> lokale ftp-proxy only
> 	pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user 
> proxy flags S/SA keep state
>
> regards
> Willem
>
> -----Oorspronkelijk bericht-----
> Van: Stefan Kell [mailto:skba_(_dot_)_opbsd_(_at_)_gmx_(_dot_)_de]
> Verzonden: maandag 7 februari 2005 17:11
> Aan: forums
> CC: misc_(_at_)_openbsd_(_dot_)_org
> Onderwerp: Re: FTP Re-Direct via local FTP-Proxy does not work....
>
> Hi,
>
> you are sure that ftp-proxy runs as user proxy? Your rule:
>
> > pass in log on fxp0 inet proto tcp from any port = ftp-data to 
> > (fxp0) user = 71 flags S/SA keep state
>
> specifies that the listener on port 20 mus run with userid 71 (proxy).
>
> What gives "ps -aux|grep ftp"?
>
> > I dont get really why the ' port 20 to ($ext_if)'  is there?
>
> Because the ftp-server on the other side will open a data-connection 
> from himself to port 20 on your firewall. That is the normal way for
active ftp.
> If you switch to passive mode than you will open the data-connection 
> to the other side.
>
> Regards
>
> Stefan Kell
>
> On Mon, 7 Feb 2005, forums wrote:
>
> > Sorry, the pfctl -s rules was a bit unreadable...
> >
> > -----Oorspronkelijk bericht-----
> > Van: forums [mailto:forum_(_at_)_vanleeuwen_(_dot_)_nl]
> > Verzonden: maandag 7 februari 2005 14:24
> > Aan: misc_(_at_)_openbsd_(_dot_)_org
> > Onderwerp: FTP Re-Direct via local FTP-Proxy does not work....
> >
> > Hai,
> >
> > I always seem to have trouble getting FTP to work through the 
> > Firewall. I am setting up a new Firewall based on OpenBSD 3.6 and 
> > according to the MAN / FAQ i need to use a FTP Proxy to allow FTP 
> > client
> traffic trough.
> > It works on my former bsd box, but that is still running under ipfw 
> > :-(
> >
> >
> > So, in /etc/pf.conf I have added :
> >
> > rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021 
> > (where
> > $int_if1 is my internal NIC)
> >
> > in /etc/inetd.conf I activated the FTP-PROXY with  :
> >
> > 127.0.0.1:8021 stream tcp       nowait  root    /usr/libexec/ftp-proxy
> > ftp-proxy
> > (not -n as i do not do NAT at this system)
> >
> > Then I also added into /etc/pf.conf :
> >
> > pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) user 
> > proxy flags S/SA keep state
> >
> > to allow the incoming traffic from 'active' FTP connection to get 
> > back into the system...
> >
> > But, no sigar....I do see (using active FTP the traffic getting back 
> > into the firewall, but thats it) When I disable pf (pfctl -d) then 
> > it runs like a charm, so it must be a PF block somewhere...
> >
> > ------------------------
> > I dont get really why the ' port 20 to ($ext_if)'  is there? Should 
> > it not get to the localhost (lo0) ?
> > I tried that, but that made no differance...
> > ----------------------
> >
> > pfctl -s rules :
> >
> > xl0 internal nic
> > fxp0 external nic
> >
> > scrub in all fragment reassemble
> > block drop in all
> > block drop out all
> > block return-rst in log on fxp0 inet proto tcp from any to any port 
> > = auth pass quick on lo all block drop in quick on ! xl0 inet from 
> > <internal range> to any block drop in quick inet from <internal nic
> > ip> to any pass in on xl0 inet from <internal proxy server ip> to 
> > ip> any
> > pass out on xl0 inet from any to <internal proxy server ip> pass out 
> > on fxp0 proto tcp all flags S/SA modulate state pass out on fxp0 
> > proto udp all keep state pass out on fxp0 proto icmp all keep state 
> > pass in log on fxp0 inet proto tcp from any port = ftp-data to 
> > (fxp0) user =
> > 71 flags S/SA keep state
> >
> > anyone know what the problem might be ?
> >
> > regards
> > Willem