Re: ftp-proxy (again)
From: Bob (no.spam_at_see.the-sig.con)
Date: 02/09/05
- Next message: Bob: "Re: DEL Key"
- Previous message: Vlad D. Markov: "Re: FreeBSD 5.3 & ssh"
- In reply to: Bob: "ftp-proxy (again)"
- Next in thread: David Magda: "Re: ftp-proxy (again)"
- Reply: David Magda: "Re: ftp-proxy (again)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 09 Feb 2005 02:24:43 +0000
Thank you, David and Matthew, for your replies.
The problem turned out to be local packets not being permitted by PF to
reply to the ftp-proxy reply. So a connection was being started, but
when ftp-proxy switched to passive mode, its reply packets were labelled
with the external interface address, because of the way the rdr rule was
redirecting the packets destined for FTP ports.
I believe I have solved this problem completely. (Now I'm just waiting
for my system to bite me in the ass and prove me wrong. I'm using
FreeBSD 5.3, by the way.)
*** Firstly, I changed inetd.conf to give ftp-proxy alternative options:
ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u
ftp-proxy -a 192.168.1.100
This line in inetd.conf causes ftp-proxy to run with the address
192.168.1.100, which is the address of the *internal* interface, because
the local network is permitted to talk to the proxy machine by
addressing its internal interface, not by addressing its external
interface. It also tells ftp-proxy to switch to user ftp-proxy (which is
a part of FreeBSD 5.3 as standard).
*** Secondly, the rdr rule in pf.conf had to be changed to reflect this
address:
rdr on $int_intfc proto tcp from $int_intfc:network to any port 21 ->
$int_intfc port 8021
(where $int_intfc is a PF macro for the internal interface, and port
8021 is the port assigned to the service named ftp-proxy in /etc/services)
So now traffic from the local network destined for FTP port 21 is sent
to ftp-proxy via the inted super-server.
*** Finally, ftp-proxy needs to be permitted to send packets out of the
external interface, so I added the following rule:
pass out log on $ext_intfc proto tcp from any port 49152:65535 to any
port { 20, 21, 49152:65535 } user ftp-proxy modulate state
queue(default_out, ack_out)
This rule allows the user ftp-proxy to send packets from ftp-proxy's
communication-range ports (I use the default here, but a different range
can be specified in your inetd.conf line) to FTP ports 20 and 21 and the
communication-range ports, and keeps state so that replies from the FTP
server are permitted back to ftp-proxy.
And it all seems to do the job. For the first time, I've been able to
connect to my website FTP and FreeBSD FTP from my Windows machine,
through the firewall, without having to leave ports always-open to the
outside, and without having to allow any host access any IP on any port
over 1024.
This method does not allow active FTP sessions, but I don't trust active
FTP, precisely because it does require ports to be left open for reply
packets.
So I'm happy. Thanks to you both, and to everyone else who has helped in
my many attempts at firewall configuration and FTP proxying.
-- Bob
- Next message: Bob: "Re: DEL Key"
- Previous message: Vlad D. Markov: "Re: FreeBSD 5.3 & ssh"
- In reply to: Bob: "ftp-proxy (again)"
- Next in thread: David Magda: "Re: ftp-proxy (again)"
- Reply: David Magda: "Re: ftp-proxy (again)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
