Re: FTP server behind a PF firewall (including NAT)
From: Rudolf Polzer (divverent_at_caths.co.uk)
Date: 07/03/05
- Next message: Rudolf Polzer: "Re: FTP server behind a PF firewall (including NAT)"
- Previous message: Rudolf Polzer: "Re: Curious about FreeBSD culture"
- In reply to: Matthew X. Economou: "Re: FTP server behind a PF firewall (including NAT)"
- Next in thread: Matthew X. Economou: "Re: FTP server behind a PF firewall (including NAT)"
- Reply: Matthew X. Economou: "Re: FTP server behind a PF firewall (including NAT)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 3 Jul 2005 15:35:35 +0000 (UTC)
»Matthew X. Economou« <xenophon+usenet@irtnog.org> wrote:
> >>>>> "CN" == Christopher Nehren <apeiron+usenet@coitusmentis.info> writes:
>
> CN> Here are the relevant lines from my /etc/pf.conf:
>
> Christopher,
>
> Thank you, but I have a working PF configuration for FTP clients, both
> for active and passive mode. (Of course, to allow passive mode
> transfers, I am forced to allow connections to all TCP ports above
> 1024 from my internal network to the Internet, which amounts to a
> default-allow firewall policy.)
>
> What I want is a working configuration for my FTP server (also behind
> this firewall) that allows both active mode and passive mode clients.
> Active-mode transfers are the easiest (again, allow connections to all
> TCP ports above 1024 from the FTP server to the Internet).
> I can't figure out how to get passive-mode transfers working, as the
> internal (pre-NAT) IP address of the FTP server is embedded in the
> control connection, and none of the FTP proxy packages (ftp-proxy(8),
> ftp/ftpproxy, or ftp/frox) have the ability to act as what the web
> people call a reverse proxy.
Use a FTP server that can do the work needed for NAT itself. Like
pure-ftpd.
> CN> If you're thinking of using pure-ftpd (which I wholeheartedly
> CN> recommend as it has the security of vsftpd and the features of
> CN> WoefullyUnsecureFTPd), here are the relevant lines from
> CN> pure-ftpd.conf on the server:
>
> On which computer are you running pure-ftpd? I'm running it on a
> system behind my firewall, where because the internal IP address of
> the FTP server is embedded in the control connection, passive-mode
> connections will not work
Solution: pure-ftpd.
To find out the external IP, a DNS name is preferred (or a fixed
external IP) - that can be given in the -P option. And you can give it a
port range for passive connections that you then forward on your
firewall (the -p option).
> Bah. This is stupid. FTP should just work with a simple allow rule,
> and the firewall should just account for everything, rewriting the
> control connection and dynamically opening ports or changing the NAT
> table as necessary, automatically. This is so basic.
Not at all. I've never seen a working implementation of this. Most of
them only work if the PASV reply is completely contained in a packet -
and often their FTP "support" can be misused to open holes in the
firewall.
> I don't have to jump through these kinds of hoops on Linux, or on
> IPFILTER (which I'd be using if the policy compiler for Firewall
> Builder weren't so broken), or on commercial-grade firewall packages
> like FireWall-1.
natd can do that.
-- Elfen Lied ist gewaltverherrlichend. Vor allem, was da so alles brutalst niedergemetzelt, grausamst in Stücke gerissen und bei lebendigem Leibe zerschnitten, zersägt, zerhackt wird... es wäre nicht übertrieben, zu sagen: "Boldly splitting German composites that no man had split before"
- Next message: Rudolf Polzer: "Re: FTP server behind a PF firewall (including NAT)"
- Previous message: Rudolf Polzer: "Re: Curious about FreeBSD culture"
- In reply to: Matthew X. Economou: "Re: FTP server behind a PF firewall (including NAT)"
- Next in thread: Matthew X. Economou: "Re: FTP server behind a PF firewall (including NAT)"
- Reply: Matthew X. Economou: "Re: FTP server behind a PF firewall (including NAT)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
