Re: pf and ftp from gateway

Hello,
I've included the pf.conf file below.
Dave.

# pf.conf
# for use on gateway box

# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last
match.

# define the two network interfaces
ext_if = "xl0"
int_if = "dc0"
tcp_state="flags S/SA keep state"
int_net = $int_if:network
ipphone1="192.168.0.5"
sip="5060:5081"
sip2="19034"
sip3="16398"
sip4="64339"
sip5="1024:65535"

# define some address macros
lan_server = "192.168.0.3"
vpn_server = "192.168.0.4"
# define services
int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1723, 8000 }"
lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, 81,
pop3, nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795,
2401, 4000, 4661, 4662, 4711, 4821,
5000, 6969, 11371, 2200, 5001, 5190, 5999, 6112, 6667, 8000, 8021, 8080,
8505, 8880, 9102, 8026, 26881, 5050, 8443 }"
lan_to_fw_services = "{ ssh }"
fw_to_lan_services = "{ ssh, 9101, 9102, 9103 }"
nameservers = "{ 65.24.7.3, 127.0.0.1, 68.166.89.140, 69.46.17.123 }"
isp_dhcp_server = "10.40.224.1"
InICMP = "{ 3,8,11 }"
OutTracerouteUDP="{ 33434 >< 33525 }"

# options
set optimization normal
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0

# normalize packets to prevent fragmentation attacks
scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# One translation line per IP phone. static-port is necessary to make pf
retain the UDP
# ephemeral port, so that the remote SIP proxy knows what session we belong
to
nat on $ext_if inet proto udp from $ipphone1 to any -> ($ext_if) static-port
# translate lan client addresses to that of the external interface
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if inet proto tcp from any to any port $int_to_lan_services ->
$lan_server
rdr on $ext_if inet proto tcp from any to any port $sip4 -> $ipphone1
rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn_server port
1194
rdr on $int_if inet proto tcp from $int_net to any port www -> 192.168.0.254
port 3128

anchor "ftp-proxy/*"

# block by default
block log all

# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all

# allow WAN requests from the internet to enter EXT
# in order to contact our web server (keep state on this connection)
pass in on $ext_if inet proto tcp from any to $lan_server port
$int_to_lan_services $tcp_state
# UDP 1194 for openvpn
pass in on $ext_if inet proto udp from any to $vpn_server port 1194 keep
state

# Allow dhcp in
pass in quick on $ext_if inet proto udp from any port bootps to
255.255.255.255 port bootpc keep state

# [traceroute to internal host 2nd stage: receiving error code of icmp-type
3
# (destination unreachable) and icmp-type 11 (time exceeded)]
pass in quick on $ext_if inet proto icmp from any to any icmp-type $InICMP
keep state

# allow UDP requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
pass out quick on $ext_if inet proto { tcp,udp } from $ext_if to any port 53
$tcp_state

# allow UDP requests to port 123 from firewall to exit ext_if_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass out quick on $ext_if inet proto { tcp,udp } from $ext_if to any port
123 $tcp_state

# Allow UDP requests to port 67 from firewall to exit ext_if
# in order to contact internet dhcp servers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port bootps
keep state

# allow lan requests from lan clients to exit EXT
# (after natting is performed) in order to contact internet servers
# (keep state on this connection)
pass out quick on $ext_if inet proto tcp from $ext_if to any port
$lan_to_int_services $tcp_state

# [traceroute to outside world 1st stage: probing...man traceroute(8)]
pass out quick on $ext_if inet proto udp from any to any port
$OutTracerouteUDP keep state

# allow ICMP requests from firewall to exit EXT (after natting is performed)
# in order to ping/traceroute internet hosts on the behalf of lan clients
pass out quick on $ext_if inet proto icmp from $ext_if to any icmp-type 8
code 0 keep state

# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this
connection)
pass in quick on $int_if inet proto { tcp,udp } from $int_net to $int_if
port 53 $tcp_state

# allow UDP requests to ports 67, 68, and 123 from int_if clients to enter
int_if
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass in quick on $int_if inet proto { tcp,udp } from $int_net to $int_if
port { 67, 68, 123 } $tcp_state

# allow LAN requests from lan clients to enter LAN
# in order to contact internet servers (keep state on this connection)
pass in quick on $int_if inet proto tcp from $int_net to any port
$lan_to_int_services $tcp_state

# lan admin connects to firewall via ssh for administrative purposes
pass in quick on $int_if inet proto tcp from $int_net to $int_if port
$lan_to_fw_services $tcp_state

# allow requests from lan admin to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet
hosts)
pass in quick on $int_if inet proto icmp from $int_net to any icmp-type 8
code 0 keep state

# allow squid connections from lan to proxy
pass in quick on $int_if inet proto tcp from any to 192.168.0.254 port 3128
$tcp_state

# allow WAN requests from the internet to exit LAN
# in order to contact our lan server (keep state on this connection)
pass out quick on $int_if inet proto tcp from any to $lan_server port
$int_to_lan_services $tcp_state
# UDP 1194
pass out quick on $int_if inet proto udp from any to $vpn_server port 1194
keep state

# firewall connects to the lan server via scp/ssh for backup purposes
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port
$fw_to_lan_services $tcp_state

# sip for viatalk
pass in quick on $int_if inet proto udp from $ipphone1 port $sip to any keep
state
pass in quick on $int_if inet proto udp from $ipphone1 port $sip2 to any
keep state
pass in quick on $int_if inet proto udp from $ipphone1 port $sip3 to any
keep state
pass out quick on $ext_if inet proto udp from any port $sip to any keep
state
pass out quick on $ext_if inet proto udp from any port $sip2 to any keep
state
pass out quick on $ext_if inet proto udp from any port $sip3 to any keep
state

pass in quick on $int_if inet proto tcp from $ipphone1 port $sip to any
$tcp_state
pass in quick on $int_if inet proto tcp from $ipphone1 port $sip to any
$tcp_state
pass out quick on $ext_if inet proto tcp from any port $sip to any
$tcp_state

# sip protocols from the internet
pass in quick on $ext_if inet proto tcp from any to any port $sip4
$tcp_state
pass out quick on $int_if inet proto tcp from $int_if to $ipphone1 port
$sip4 $tcp_state

# these are for rtp audio reception
pass in quick on $int_if inet proto udp from $ipphone1 port $sip5 to any
keep state
pass out quick on $ext_if inet proto udp from any port $sip5 to any keep
state

"Helmut Schneider" <jumper99@xxxxxx> wrote in message
news:5rilhbF14vdl9U1@xxxxxxxxxxxxxxxxxxxxx
Dave <dmehler26@xxxxxxxxxx> wrote:
I've got OpenBSD 4.2 set up as a firewall/gateway. I'm using pf and
ftp-proxy. All of that is working fine from behind the lan, clients can
get to ftp sites and retrieve files. My issue is the gateway box itself
can not. I try to set the PKG_PATH environment variable so i can
download packages but i keep getting timeouts. From the tcpdump output
i'm seeing pf is blocking connections back to the gateway box's port 20
and blocking outgoing connections. I can connect to the ftp sites just
fine from behind the gateway from lan boxes, and can connect fine from
the gateway, but when i go to do anything like an ls, or a cd or a get,
i get disconnected. Any ideas what to check?

pf.conf would be *very* helpful.

--
No Swen today, my love has gone away
My mailbox stands for lorn, a symbol of the dawn


.

Relevant Pages

  • active ftp
    ... Does anyone have a pf config for active ftp? ... # Redirect lan client FTP requests ... # to the ftp-proxy running on the firewall host (via inetd on port 8021) ... rdr on $int_if inet proto tcp from $int_if:network to any port www -> ...
    (comp.unix.bsd.openbsd.misc)
  • pftpx failing on freebsd 5.4-stable
    ... I'm trying to get ftp working from my lan to the internet. ... # when being port scanned. ... pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to ...
    (freebsd-net)
  • NAT problems
    ... # allow all ICMP ... pass in on $ext_if inet proto udp from any to port $udp_services ... pass in quick on $ext_if inet proto udp from any to any port 500 keep state ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Remote desktop & Netgear router
    ... if you can connect to the PC from another PC using the "private LAN IP address" over your ... local LAN then Remote Desktop is obviously setup right and working. ... The issue then is the port forwarding on the router. ...
    (microsoft.public.windowsxp.work_remotely)
  • PF configuration problem / lag
    ... queue q_high priority 4 priq ... pass in quick on $ext_if inet proto tcp to port $in_services_tcp flags S/S ... keep state label ServicesTCP ...
    (comp.unix.bsd.openbsd.misc)