How to write transparent FTP or HTTP forwarding rules for PF using Firewall Builder (security/fwbuilder)

From: Matthew X. Economou (xenophon+usenet_at_irtnog.org)
Date: 12/06/04 

Date: 05 Dec 2004 20:05:19 -0500

(This assumes a working knowledge of the PF firewall software and the
"Firewall Builder":http://www.fwbuilder.org/ tool.)

I use Firewall Builder to manage my Linux and FreeBSD firewalls. As
you may know, the PF firewall software (now included with FreeBSD 5.3)
does not have an in-kernel FTP proxy. One must explicitly activate a
proxy, forward FTP command channel connections to the proxy, and allow
passive-mode FTP data connections to the proxy (as described in "PF:
Issues with FTP":http://www.openbsd.org/faq/pf/ftp.html). Typical
pf.conf entries look similar to the following::

  # forward FTP connections to the proxy
  rdr on $intif proto tcp from any to any port 21 -> 127.0.0.1 port 8021

  # active mode transfers occur with the client listening for a
  # connection from the FTP server
  pass in quick on $extif inet proto tcp from port 20 to ($extif) user proxy flags S/SA keep state

The FTP proxy is usually run out of inetd with inetd.conf entries
similar to what follows::

  # FTP proxy service, with NAT support enabled
  ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n

With a few minor changes to the inetd.conf entry, and with the proper
object, service, and rule definitions, one can easily generate the
proper PF configuration entries using Firewall Builder.

First, reconfigure the FTP proxy service to listen on port 21 (ftp),
instead of 8021 (ftp-proxy). "rdr" NAT rules are executed prior to
block/pass filter rules. If you have a general rule in Firewall
Builder that is (src $net, dst any, service ftp, allow), it will not
match the FTP connection attempt after translation because, after NAT,
the service is now "ftp-proxy" (8021/tcp). You could restate the rule
as "service ftp-proxy", but this might be confusing (besides, it would
be specific to PF and would make retargeting your firewall
configuration to other software more difficult than it already might
be). Instead, keep it simple: Run the FTP proxy on localhost:21/tcp,
and keep "service ftp" in your firewall rules. The inetd.conf entry
should now read::

  ftp stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n

Second, create a firewall rule that allows outbound FTP access. It
could be as simple as (src $internal, dst any, service ftp, allow),
where $internal is an object or group that represents your internal
network.

Third, create a custom service object called "ftp-proxy-active-mode".
Select the 'PF' platform and enter the code 'user proxy flags S/SA'.

Fourth, create a rule on the firewall's exterior interface that allows
connections back to listeners created by the FTP proxy for active mode
data transfers: (src any, dst $extif, service ftp-proxy-active-mode,
direction inbound, accept). The custom service object will only allow
connections to dynamic ports created by the "proxy" user, the UID to
which the ftp-proxy service switches after called by inetd.
(While I don't know of a way to restrict the source port to 20/tcp,
technically, according to the FTP RFCs, the source port of the data
transfer connection is not strictly required to be port 20.)

Finally, create a NAT rule that corresponds to your outbound FTP
access rule described in step 2 (same source and destinations) and set
the original service to ftp). Set the translated destination to the
firewall's loopback interface.

This configuration, when compiled, will generate a PF configuration
similar to the following:

  # ...in the NAT section...
  rdr proto tcp from $internal to any port 21 -> 127.0.0.1 port 21
  # ...in the filter section...
  pass in quick on $extif inet from any to ($extif) user proxy flags S/SA keep state label "..."
  # ...later in the filter section...
  pass in quick inet proto tcp from $internal to any port 21 keep state

This has the same effect as the filter rules described in the PF
documentation. 

-- 
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien

Relevant Pages

  • RE: FTP Window of opportunity?
    ... does it seemingly accept the connections and drop them once the response ... Subject: FTP Window of opportunity? ... blocked by the firewall. ... the FTP port shows up. ...
    (Pen-Test)
  • Re: FTP server behind a PF firewall (including NAT)
    ... > Thank you, but I have a working PF configuration for FTP clients, both ... > for active and passive mode. ... > this firewall) that allows both active mode and passive mode clients. ... > Active-mode transfers are the easiest (again, allow connections to all ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Another Secure FTP thread -- Protection Levels
    ... gateway or proxy system to act as an FTP relay ... firewall) to the remote system. ... He would need to establish his FTP ... connections from the gateway to the remote system while blocking FTP ...
    (comp.protocols.kermit.misc)
  • RE: SP2 Firewall and FTP
    ... connections for the application not just the port. ... In the windows firewall in the control panel under the ... exceptions tab make sure your FTP program is listed and has a check next to ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Surf and Spyware Protection on OpenBSD
    ... >> Disabling the FTP proxy on the firewall will prevent the spyware from ... >> from using FTP. ... > Well this is only possible if the spyware uses FTP to send it. ... to block in the firewall. ...
    (comp.unix.bsd.openbsd.misc)