active ftp
From: Dave (dmehler26_at_woh.rr.com)
Date: 10/05/05
- Next message: Edward Rosten: "Ports and flavours."
- Previous message: Edward Rosten: "Re: Worse ural0 problem: IOERROR"
- Next in thread: lost: "Re: active ftp"
- Reply: lost: "Re: active ftp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 05 Oct 2005 01:23:36 GMT
Hello,
Does anyone have a pf config for active ftp? I've followed the faq and
integrated it in my config. It isn't working. My configs below. Any help
appreciated.
Thanks.
Dave.
# pf.conf
# for use on gateway box
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last
match.
# define the two network interfaces
ext_if = "rl0"
int_if = "rl1"
# define some address macros
lan_server = "192.168.1.3"
# define services
int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1194, 1723,
8000 }"
lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3,
nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401,
4000, 4662, 4711,
5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8021, 8080, 8505, 8880, 9102 }"
lan_to_fw_services = "{ ssh }"
fw_to_lan_services = "{ ssh, 9101, 9102, 9103 }"
nameservers = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"
isp_dhcp_server = "10.40.224.1"
# options
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
# normalize packets to prevent fragmentation attacks
scrub on $ext_if all random-id reassemble tcp
scrub on $int_if inet no-df
# translate lan client addresses to that of the external interface
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if inet proto tcp from any to any port $int_to_lan_services ->
$lan_server
rdr on $ext_if inet proto udp from any to any port 1194 -> $lan_server port
1194
# Redirect lan client FTP requests (to an FTP server's control port 21)
# to the ftp-proxy running on the firewall host (via inetd on port 8021)
rdr on $int_if inet proto tcp from $int_if:network to any port 21 ->
127.0.0.1 port 8021
rdr on $int_if inet proto tcp from $int_if:network to any port www ->
127.0.0.1 port 8080
# redirect gre traffic
rdr on $ext_if inet proto gre from any to any -> $lan_server
# pass all loopback traffic
pass quick on lo0 all
# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all
# Thwart nmap scans
block in log quick on $ext_if proto tcp all flags FUP/FUP
# prevent lan originated spoofing from occurring
antispoof for $ext_if inet
# block everything from entering EXT
block in log on $ext_if all
# allow WAN requests from the internet to enter EXT
# in order to contact our web server (keep state on this connection)
pass in on $ext_if inet proto tcp from any to $lan_server port
$int_to_lan_services flags S/SA modulate state
# UDP 1194 for openvpn
pass in on $ext_if inet proto udp from any to $lan_server port 1194 keep
state
# Gre traffic for mpd
pass in on $ext_if inet proto gre from any to $lan_server keep state
# Allow dhcp in
pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to
255.255.255.255 port bootpc keep state
# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in
inetd.conf
pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port
55000 >< 57000 user proxy flags S/SA keep state
# block everything from exiting EXT
block out log on $ext_if all
# allow UDP requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 53 keep
state
# allow UDP requests to port 123 from firewall to exit ext_if_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep
state
# Allow UDP requests to port 67 from firewall to exit ext_if
# in order to contact internet dhcp servers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port bootps
keep state
# allow lan requests from lan clients to exit EXT
# (after natting is performed) in order to contact internet servers
# (keep state on this connection)
pass out quick on $ext_if inet proto tcp from $ext_if to any port
$lan_to_int_services flags S/SA modulate state
# allow ICMP requests from firewall to exit EXT (after natting is performed)
# in order to ping/traceroute internet hosts on the behalf of lan clients
pass out on $ext_if inet proto icmp from $ext_if to any icmp-type 8 keep
state
# Allow ftp-proxy packets destined to port 20 to exit $ext_if
# in order to maintain communications with the ftp server
pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 flags
S/SA modulate state
# Allow firewall to contact ftp server on behalf of passive ftp client
pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to
any user proxy flags S/SA keep state
# block everything from entering LAN
block in log on $int_if all
# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this
connection)
pass in quick on $int_if inet proto udp from $int_if:network to $int_if port
53 keep state
# allow UDP requests to ports 67, 68, and 123 from int_if clients to enter
int_if
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass in quick on $int_if inet proto udp from $int_if:network to $int_if port
{ 67, 68, 123, 6112 } keep state
# allow LAN requests from lan clients to enter LAN
# in order to contact internet servers (keep state on this connection)
pass in quick on $int_if inet proto tcp from $int_if:network to any port
$lan_to_int_services flags S/SA modulate state
# lan network connects to firewall via ssh for administrative purposes
pass in on $int_if inet proto tcp from $int_if:network to $int_if port
$lan_to_fw_services modulate state
# allow requests from lan network to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet
hosts)
pass in quick on $int_if inet proto icmp from $int_if:network to any
icmp-type 8 keep state
# allow lan broadcasts
pass in quick on $int_if proto { tcp, udp } from $int_if:network to
$int_if:broadcast keep state
# allow squid connections from lan to proxy
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep
state
# allow ftp connections from lan to proxy
pass quick on $int_if inet proto tcp from $int_if:network to lo0 port 8021
flags S/SA keep state
pass in quick on $int_if inet proto tcp from $int_if:network to $ext_if port
55000:57000 flags S/SA keep state
# block everything from exiting LAN
block out log on $int_if all
# allow WAN requests from the internet to exit LAN
# in order to contact our lan server (keep state on this connection)
pass out quick on $int_if inet proto tcp from any to $lan_server port
$int_to_lan_services flags S/SA modulate state
# UDP 1194
pass out quick on $int_if inet proto udp from any to $lan_server port 1194
keep state
# GRE traffic out
pass out quick on $int_if inet proto gre from any to $lan_server keep state
# firewall connects to the lan server via scp/ssh for backup purposes
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port
$fw_to_lan_services flags S/SA modulate state
- Next message: Edward Rosten: "Ports and flavours."
- Previous message: Edward Rosten: "Re: Worse ural0 problem: IOERROR"
- Next in thread: lost: "Re: active ftp"
- Reply: lost: "Re: active ftp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
