Re: FTP server behind a PF firewall (including NAT)
From: Matthew X. Economou (xenophon+usenet_at_irtnog.org)
Date: 06/30/05
- Next message: Kris Kennaway: "Re: Should I upgrade 5.3 to 5.4"
- Previous message: jpd: "Re: Found a problem in the clamav-port when updating"
- In reply to:(deleted message) Philip W Lee: "Re: FTP server behind a PF firewall (including NAT)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 30 Jun 2005 17:32:24 -0400
>>>>> "Philip" == Philip W Lee <phil@lee-family.me.uk> writes:
Philip> Mine is similar, except that my firewall is ipfw, and I
Philip> have exactly the same problem. I don't want to redirect a
Philip> huge range of high ports, and I can't find any information
Philip> in the man pages about using any kind of ftp-proxy with
Philip> ipfw.
Yeah, IPFW is a real pain compared to most modern firewall software.
For firewalls that don't have in-kernel proxies (e.g. IPFW, PF), you
must rely on a user-space daemon to correctly proxy (and
address-translate) the FTP data transfers. I guess I kind of see the
OpenBSD guys' point, that such a complicated proxy service running
in-kernel is relatively dangerous, but God, stateful packet passing
and address translation is such a pain with protocols like FTP, and it
is really nice when the firewall software "just works". (This is
where firewalls like IPFILTER and iptables really shine. I guess to
guys like me, the risks of someone hacking the in-kernel proxy are
acceptably low.)
Philip> Is ftp-proxy built-in?
ftp-proxy(8) was imported into FreeBSD from OpenBSD, along with PF.
It is really only usable for FTP clients behind the firewall. I don't
know if you can use it with other firewall software, as one
customarily transparently forwards traffic to it via NAT, and it
somehow queries the PF system to obtain the packet's original
(pre-NAT) destination address. You cannot use ftp-proxy with an FTP
server behind your firewall when using NAT, as there is no way to tell
ftp-proxy the final destination address of the connection (ftp-proxy
will lookup the packet's original destination address and find the
firewall's external IP address).
Philip> I hope someone can help, as file exchange is getting to be
Philip> a real pain!
I found two user-space FTP proxies, "ftp.proxy"
(http://www.ftpproxy.org/, in ports as ftp/ftpproxy) and "frox"
(http://frox.sourceforge.net/, in ports as ftp/frox). I'm going to
try running ftp.proxy out of inetd(8) as the "ftp-proxy" user,
transparently translating connections to 21/tcp on my firewall's
external interface to this service, and relying on my existing
"pass in quick on fxp* inet from any to any user proxy flags S/SA keep
state" rules to allow the data transfers.
Although, now that I think about it, the lack of an in-kernel FTP
proxy is going to keep me from switching to a default-deny policy.
Because ftp-proxy only proxies active-mode data transfers (where the
FTP server connects to the client to perform a data transfer), I must
allow connections from my interior network to any Internet address
over any TCP port if I want passive-mode transfers to work properly
(where the FTP client connects to the server to perform a data
transfer). How frustrating: In trying to design a secure system, the
PF authors force me to implement an insecure "pass out any to any"
policy.
Best wishes,
Matthew
--
"In the social equation, the value of a single life is nil; in the
cosmic equation, it is infinite."
- Arthur Koestler, _The Invisible Writing_
- Next message: Kris Kennaway: "Re: Should I upgrade 5.3 to 5.4"
- Previous message: jpd: "Re: Found a problem in the clamav-port when updating"
- In reply to:(deleted message) Philip W Lee: "Re: FTP server behind a PF firewall (including NAT)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
