pftpx failing on freebsd 5.4-stable

From: Dave (dmehler26_at_woh.rr.com)
Date: 09/20/05

  • Next message: Ian Smith: "Re: Efficient use of Dummynet pipes in IPFW" 
    To: <freebsd-net@freebsd.org>
Date: Mon, 19 Sep 2005 22:54:19 -0400

    Hello,
        I'm trying to get ftp working from my lan to the internet. I'm using a
    deny by default policy and only allowing out specific traffic. My rules are
    below. I start pftpx and load the pf.conf file, all is good, until i try to
    ftp. Going from the gateway box ftp can at least log on to the site and does
    a 200EPRT command which eventually times out, anything behind the gateway
    doesn't even get that far. I log everything via pflog and i do not see any
    ftp or pftpx output in the logs at all. In /var/log/messages i do see this:

    Sep 19 22:36:07 guardian kernel: pflog0: promiscuous mode enabled
    Sep 19 22:36:55 guardian pftpx[630]: #3 pf operation failed: Invalid
    argument
    Sep 19 22:36:55 guardian pftpx[630]: #3 pf rule removal failed: Invalid
    argument
    Sep 19 22:39:55 guardian pftpx[630]: #4 pf operation failed: Invalid
    argument
    Sep 19 22:39:55 guardian pftpx[630]: #4 pf rule removal failed: Invalid
    argument

    Any help appreciated, i'd really like to get this going.
    Thanks.
    Dave.

    # pf.conf
    # for use on gateway box

    # Required order: options, normalization, queueing, translation, filtering.
    # Macros and tables may be defined and used anywhere.
    # Note that translation rules are first match while filter rules are last
    match.

    # macros
    # define the two network interfaces
    ext_if="xl0"
    int_if="xl1"
    # define our networks
    lan_net="192.168.7.0/24"
    # define servers
    lan_server="192.168.7.3"
    nameservers = "{ xxx }"
    isp_dhcp_server = "xxx"
    # define services
    int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 8000 }"
    lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3,
    nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401,
    4000, 5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8080, 8505, 8880, 9102 }"

    # options
    set optimization normal
    set block-policy return
    set require-order yes
    set fingerprints "/etc/pf.os"
    # This helps protect against my maximum states being reached
    # when being port scanned.
    set timeout tcp.closed 1
    set timeout { interval 10, frag 30 }
    set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
    set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
    set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
    set timeout { icmp.first 20, icmp.error 10 }
    set timeout { other.first 60, other.single 30, other.multiple 60 }
    set timeout { adaptive.start 0, adaptive.end 0 }
    set limit { states 10000, frags 5000 }

    # normalize packets to prevent fragmentation attacks
    scrub on $ext_if all random-id reassemble tcp
    scrub on $int_if inet no-df

    # nat
    # translate lan client addresses to that of the externalinterface
    nat on $ext_if from $int_if:network to any -> ($ext_if)
    nat-anchor "pftpx/*"

    # redirections
    rdr on $ext_if proto tcp from any to any port $int_to_lan_services ->
    $lan_server
    # pftpx ftp proxy
    rdr-anchor "pftpx/*"
    rdr pass on $int_if proto tcp from $int_if:network to any port 21 ->
    127.0.0.1 port 8021

    # default deny
    block log all

    # immediately prevent IPv6 traffic from entering or leaving all interfaces
    block quick inet6 all

    # pass loopback traffic
    pass quick on lo0 all

    # pftpx proxy traffic
    anchor "pftpx /*"

    # antispoof options
    antispoof quick for $ext_if inet
    antispoof quick for $int_if inet

    # External interface (Incoming)

    # Allow dhcp in
    pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to
    255.255.255.255 port bootpc

    # Allow internet requests through in order to contact lan server
    # keep state on this connection
    pass in quick on $ext_if inet proto tcp from any to $lan_server port
    $int_to_lan_services flags S/SA keep state
    pass in quick on $ext_if inet proto udp from any to $lan_server port 1194
    keep state

    # External interface (outgoing)

    # allow dhcp out
    pass out quick on $ext_if inet proto udp from $ext_if to any port bootps

    # allow UDP requests to port 53 from firewall to exit ext_if
    # in order to contact internet nameservers (keep state on this connection)
    pass out quick on $ext_if inet proto udp from $ext_if to $nameservers port
    53 keep state

    # allow UDP requests to port 123 from firewall to exit ext_if
    # in order to contact internet ntp servers
    # (keep state on this connection)
    pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep
    state

    # Allow traffic from lan clients to exit $ext_if
    # (After natting is performed) in order to contact internet servers
    # (Keep state on this connection)
    pass out quick on $ext_if inet proto tcp from $ext_if to any port
    $lan_to_int_services flags S/SA keep state

    # allow out the default range for traceroute(8):
    # "base+nhops*nqueries-1" (33434+64*3-1)
    pass out quick on $ext_if inet proto udp from any to any \
    port 33433 >< 33626 keep state

    # Internal interface (incoming)

    # allow lan broadcasts
    pass in quick on $int_if proto { tcp, udp } from $lan_net to
    $int_if:broadcast

    # allow UDP requests to port 53 from lan clients to enter LAN
    # in order to perform dns queries on the firewall
    # (keep state on this connection)
    pass in quick on $int_if inet proto udp from $lan_net to $int_if port 53
    keep state

    # allow UDP requests to ports 67, 68, and 123 from lan clients to enter lan
    # in order to perform dhcp and ntp queries on the firewall
    # ( Keep state on this connection)
    pass in quick on $int_if inet proto udp from $lan_net to $int_if port { 67,
    68, 123, 6112 } keep state

    # allow lan traffic from lan clients to enter lan
    # in order to contact internet servers (keep state on this connection)
    pass in quick on $int_if inet proto tcp from $lan_net to any port
    $lan_to_int_services flags S/SA keep state

    # allow requests from lan admin to enter LAN
    # in order to ping/traceroute any system (firewall, dmz server, and internet
    hosts)
    pass in quick on $int_if inet proto icmp from $lan_net to any icmp-type 8
    keep state

    # Internal interface (Outgoing)

    # Allow internet requests to exit lan
    # in order to contact internet servers
    pass out quick on $int_if inet proto tcp from any to $lan_server port
    $int_to_lan_services keep state

    # Firewall connects to the lan server via scp/ssh for backup purposes
    pass out quick on $int_if inet proto tcp from $int_if to $lan_server port 22
    flags S/SA keep state
    # firewall connects back to the storage daemon
    # on the lan server port 9103 to enable it to back up
    pass out quick on $int_if inet proto tcp from $int_if to $lan_server port
    { 9101, 9102, 9103 } flags S/SA keep state

    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Ian Smith: "Re: Efficient use of Dummynet pipes in IPFW"

    Relevant Pages

    • active ftp
      ... Does anyone have a pf config for active ftp? ... # Redirect lan client FTP requests ... # to the ftp-proxy running on the firewall host (via inetd on port 8021) ... rdr on $int_if inet proto tcp from $int_if:network to any port www -> ...
      (comp.unix.bsd.openbsd.misc)
    • Re: pf and ftp from gateway
      ... # ephemeral port, so that the remote SIP proxy knows what session we belong ... pass in quick on $ext_if inet proto udp from any port bootps to ... pass out quick on $ext_if inet proto udp from $ext_if to any port bootps ... # allow lan requests from lan clients to exit EXT ...
      (comp.unix.bsd.openbsd.misc)
    • Re: Linux, iptables, ARGH!!!
      ... >> Need an iptables script that does the following: ... Allow me to restrict certain users on the LAN from having Internet ... A port scan on the system doesn't show port 80 ...
      (comp.security.firewalls)
    • Firewall issues on dual NIC server
      ... and assigned it a static internet IP. ... The the port scan only showed port 80 open ... ... But now I can no longer find that machine or access its shares from the LAN ... Network and Sharing center shows the LAN NIC and a "Domain network" with ...
      (microsoft.public.security)
    • Re: Cant ping my Windows 2003 R2 server from the internet.
      ... The LAN is connected to a router, as are other PCs on my LAN. ... Gateway metric: 100 ... and dynamic settings pulled from my cable internet provider on the ... able to ping the 100mb port. ...
      (microsoft.public.windows.server.networking)