Confusion about FTP through PF

HELLO ALL:

I AM CONFUSED ABOUT USING FTP THROUGH PF.  WE HAVE BEEN
RUNNING WITH A WORKING FTP-PROXY SETUP THAT ALLOWS OUR
INTERNAL SERVERS TO FTP OUT WITH NO TROUBLE.  I AM NOW
INTERESTED IN PUTTING AN FTP SERVER BEHIND MY PF
CONFIGURATION AND I'VE NOT BEEN TOO SUCCESSFUL.

IF I AM RUNNING AN FTP SERVER, IS IT NECESSARY TO PROXY THE
CONNECTIONS THROUGH THE PF BOXES OR CAN I JUST ALLOW THE FTP
CONNECTIONS THROUGH PF TO THOSE SERVERS?  IF IT'S NECESSARY,
DOES ANYONE HAVE A CONFIGURATION THAT WILL WORK FOR AN FTP
SERVER SERVICING INBOUND FTP CONNECTIONS FROM THE INTERNET
TO A SERVER BEHIND PF?

I HAVE TRIED USING FTP-PROXY AND PFTPX, BUT THE
CONFIGURATION GUIDELINES FROM THE MAN PAGES OF BOTH DON'T
SEE TO WORK.  I ACTUALLY USED THEM VERBATIM.  FINALLY, THIS
IS FREEBSD 6.3P1 WITH THE DEFAULT PF.

HERE'S WHAT I HAVE RELEVANT TO FTP AT THE MOMENT, WHERE
LIV_FTP_INT IS BEHIND PF, LIV_FTP_EXT IS IN FRONT. 
$VLAN2_IF IS THE OUTSIDE INTERFACE ON A VALID IP AND
$VLAN924_IF IS THE INSIDE INTERFACE ON THE 10.214 SUBNET
(10.214.0.1) WHICH SERVES AS THE DEFAULT GATEWAY FOR THE
SUBNET.

LIV_FTP_INT="10.214.0.13"
LIV_FTP_EXT="X.X.X.X"
TABLE <FTP_SERVERS> PERSIST { 
        $LIV_FTP_EXT, 
NAT-ANCHOR "FTP-PROXY/*"
NAT ON $VLAN2_IF FROM $LIV_FTP_INT TO ANY ->
$LIV_FTP_EXT
RDR-ANCHOR "FTP-PROXY/*"
RDR ON $VLAN2_IF PROTO TCP FROM ANY TO <FTP_SERVERS>
PORT 21 -> 127.0.0.1 PORT 8021
RDR ON ! $VLAN924_IF PROTO TCP FROM ANY TO $LIV_FTP_EXT PORT
21 -> $LIV_FTP_INT
RDR ON ! $VLAN924_IF PROTO TCP FROM ANY TO $LIV_FTP_EXT PORT
20 -> $LIV_FTP_INT
RDR ON ! $VLAN924_IF PROTO TCP FROM ANY TO $LIV_FTP_EXT PORT
443 -> $LIV_FTP_INT
BLOCK IN QUICK ON $VLAN2_IF PROTO TCP FROM ANY TO !
<FTP_SERVERS> PORT 21
ANCHOR "FTP-PROXY/*"

REGARDS,

MIKE

On Mon, Mar 03, 2008 at 09:03:11AM -0800, Michael K. Smith -
Adhost wrote:
> Hello All:

First, is there a reason you sent your message twice, 6
hours apart,
with different subject lines?  Sorry if I sound crass, but
I'm not sure
why you did this.  

> I am confused about using FTP through PF.  We have been
running with a working ftp-proxy setup that allows our
internal servers to ftp out with no trouble.  I am now
interested in putting an FTP server behind my PF
configuration and I've not been too successful.
> 
> If I am running an FTP server, is it necessary to proxy
the connections through the PF boxes or can I just allow the
FTP connections through PF to those servers?  If it's
necessary, does anyone have a configuration that will work
for an FTP server servicing inbound FTP connections from the
Internet to a server behind PF?

You need to understand the FTP protocol's modes of operation
when it
comes to data transfers to properly fix your rules.

An FTP server listens on TCP port 21 for incoming
connections which can
be referred to as "control" connections (e.g.
commands the FTP client is
submitting to the server).

However, for directory listings and file transfers, FTP has
two modes of
operation: active and passive.  The mode used can be
selected by the FTP
client.  Passive is pretty much the standard mode of
operation now in
all FTP clients, but supporting both modes is important.

Active mode causes the FTP client to use the PORT command,
while passive
mode causes the FTP client to use the PASV command.

In active mode, the FTP client will open a listening TCP
port (on the
clients' side), and then send the PORT command to the FTP
server, which
includes the clients' IP and listening port #.  The FTP
server, using
TCP port 20 (e.g. source = public:20, dest =
ftpclient:someport) as its
source port, connects to the TCP port specified by the FTP
client, and
the data transfer begins.

This is a problem for FTP clients behind firewalls, as I'm
sure you can
imagine -- which is what passive is for.

In passive mode, the FTP client will send a PASV command to
the FTP
server.  The FTP server will then open a listening TCP port
(on the FTP
servers' side), and will respond to the clients' PASV
command with the
IP address and port # the client should connect to.  The TCP
port # used
is *dynamic*, which makes it very difficult to properly
siphon through a
firewall.

There's a couple workarounds for this.  ftp-proxy is one,
but the one I
prefer to use is based on this: FreeBSD's ftpd(8) allows to
specify a
range of TCP ports the FTP server will use when opening a
listening
port on PASV.  See the -U option in the ftpd(8) manpage. 
The default
range is 49152 to 65535.

With this in mind, you can poke holes in your firewall for
those ports,
redirecting any connections to 49152:65535 to the FTP
server's internal
IP address.

This is taken from our pf.conf on our production FTP server.
 The FTP
server has a public IP address 72.20.106.8, but uses pf(4)
to deny all
incoming packets and permit all outgoing packets:

# Punch holes for FTP.  The rule looks complex, so here it
is explained:
#
# - Make sure pass rule only applies to 72.20.106.8
(ftp.sc1.parodius.com)
# - Permit incoming connections to port 21 (main FTP
service)
# - Permit incoming connections to ports 49152-65535 (FTP
passive mode)
# - TCP port 20 is actually for **outbound** connections in
FTP active mode,
#   and since we allow all outbound traffic, we don't need a
rule for it.
# - TCP ports 49152-65535 come from ftpd(8) and ip(4)
manpages; there are
#   sysctl(8) knobs for theses, but we shouldn't mess with
those.
#
pass in quick on $ext_if inet proto tcp from any to
72.20.106.8 port { ftp, 49152:65535 } modulate state flags
S/SA

Understanding how the protocol works is key to understanding
how to
properly administrate a firewall that has to deal with FTP. 
So I hope
this helps clear up some of the confusion.

-- 
| Jeremy Chadwick                                    jdc at
parodius.com |
| Parodius Networking                           http://www.parodius.com/
|
| UNIX Systems Administrator                      Mountain
View, CA, USA |
| Making life hard for others since 1977.                 
PGP: 4BD6C0CB |

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

HELLO ALL:

> PASS IN QUICK ON $EXT_IF INET PROTO TCP FROM ANY TO
72.20.106.8 PORT {
> FTP, 49152:65535 } MODULATE STATE FLAGS S/SA
> 
THANKS TO JEREMY FOR THE LINE ABOVE WHICH WORKS LIKE A
CHAMP.  THE LAST PIECE OF THE PUZZLE FOR ME IS TO BLOCK ALL
INBOUND FTP CONNECTIONS TO SERVERS OTHER THAN MY FTP
SERVERS.  I HAVE THE FOLLOWING CONFIGURATION TO THAT EFFECT.
 THE TWO SERVERS IN THE TABLE ARE ASSOCIATED WITH VALID,
OUTSIDE IP ADDRESSES AND THE TABLE SHOWS UP CORRECTLY WITH A
'PFCTL -T FTP_SERVERS -T SHOW'.

TABLE <FTP_SERVERS> PERSIST {                   
        $LIV_FTP_EXT, 
        $UFT_01_EXT 
        }           

BLOCK IN LOG QUICK ON $VLAN2_IF PROTO TCP FROM ANY TO !
<FTP_SERVERS> PORT 21

WHEN I LOAD THIS RULE FTP BREAKS TO EVERYTHING, INCLUDING
THE <FTP_SERVERS> SERVERS.  IS IT NOT POSSIBLE TO DO A
"!" IN A BLOCK RULE OR IS MY SYNTAX FUBAR?

REGARDS,

MIKE

On Tue, Mar 04, 2008 at 11:33:29AM -0800, Michael K. Smith -
Adhost wrote:
> > pass in quick on $ext_if inet proto tcp from any
to 72.20.106.8 port {
> > ftp, 49152:65535 } modulate state flags S/SA
> > 
> Thanks to Jeremy for the line above which works like a
champ.  The last piece of the puzzle for me is to block all
inbound ftp connections to servers other than my ftp
servers.  I have the following configuration to that effect.
 The two servers in the table are associated with valid,
outside IP addresses and the table shows up correctly with a
'pfctl -t ftp_servers -T show'.
> 
> table <ftp_servers> persist {                  

>         $liv_ftp_ext, 
>         $uft_01_ext 
>         }           
> 
> block in log quick on $vlan2_if proto tcp from any to !
<ftp_servers> port 21
> 
> When I load this rule ftp breaks to everything,
including the <ftp_servers> servers.  Is it not
possible to do a "!" in a block rule or is my
syntax fubar?

A couple things:

1) What does "breaks to everything" mean?  Does it
mean the rule starts
blocking traffic, or does it mean the rule works as expected
but you
get "random" disconnects once established, etc?

2) It also depends on where in your pf.conf that rule is
located.  You're
using the "quick" operator, so in the case any
incoming packet matches
said criteria, rules past that point will not be analysed. 
This might
not be the problem at all, but I thought I'd mention it just
in case.

3) I would think that syntax would work, however the pf.conf
manpage
doesn't seem to indicate that you can a ! with a
<table>.  It does
indicate you can do !1.2.3.4 and so on, but that's not
practical in this
case.  Folks familiar with pf's parser would have to comment
on this.

There's a logical workaround -- use 2 rules:

pass  in     quick on $vlan2_if proto tcp from any to
<ftp_servers> port 21 modulate state flags S/SA
block in log quick on $vlan2_if proto tcp from any to any
port 21 flags S/SA

If this doesn't work, you should consider sniffing the
pflog0 interface
(I assume you have pflog enabled in rc.conf) and see what's
being
denied: tcpdump -s 256 -i pflog0

Finally, note that your block entry doesn't specify any TCP
flags, so
it's going to block everything, rather than just initial SYN
and SYN+ACK
situations.  That can sometimes lead to what I described in
#1.

-- 
| Jeremy Chadwick                                    jdc at
parodius.com |
| Parodius Networking                           http://www.parodius.com/
|
| UNIX Systems Administrator                      Mountain
View, CA, USA |
| Making life hard for others since 1977.                 
PGP: 4BD6C0CB |

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

HELLO JEREMY (ET. AL.):

WE FOUND THE ISSUE AND I WANTED TO SHARE THE SOLUTION.

AS BEFORE, THIS RULE WORKED AS EXPECTED:

# --
PASS IN QUICK ON $VLAN2_IF INET PROTO TCP FROM ANY TO
<FTP_SERVERS> PORT { FTP, 49152:65535 } MODULATE STATE
FLAGS S/SA
# --

HOWEVER, WHEN THE FOLLOWING RULE WAS IN PLACE, WE COULDN'T
GET ANY FTP TRAFFIC TO THE FTP SERVERS.  WE TRIED MODIFYING
THE RULE BY REPLACING ! <FTP_SERVERS> WITH INDIVIDUAL
IP'S AND SERVER MACROS, BUT NOTHING SEEMED TO FIX IT. 
HOWEVER, WHEN WE REMOVED THE RULE ENTIRELY, WE COULD FTP TO
THE SERVERS, BUT WE COULD ALSO FTP TO THE PF DEVICES
THEMSELVES, WHICH WAS NOT WHAT WE WANTED.

#--
BLOCK IN LOG QUICK ON $VLAN2_IF PROTO TCP FROM ANY TO !
<FTP_SERVERS> PORT 21
#--

NEXT, WE TRIED THIS RULE, BUT WE EXPERIENCED THE SAME
RESULTS.

#--
BLOCK IN LOG QUICK ON $VLAN2_IF PROTO TCP FROM ANY TO ANY
PORT 21 FLAGS S/SA
#--

FINALLY, WE HAD SUCCESS.

#--
BLOCK IN LOG ON $VLAN2_IF PROTO TCP FROM ANY TO
<FIREWALL> PORT 21 FLAGS S/SA
#--

WHERE

#--
TABLE <FIREWALL> CONST 
#--

THIS ALLOWS FTP TRAFFIC THROUGH THE PF FIREWALL TO THE FTP
SERVERS BUT DISALLOWS FTP CONNECTIONS TO THE PF DEVICES
THEMSELVES. WHICH ARE ALLOWED TO PASS WITH

#--
PASS IN QUICK ON $VLAN2_IF PROTO TCP FROM ANY TO
<FTP_SERVERS> PORT { FTP, 49152:65535 } MODULATE STATE
FLAGS S/SA
#--

THANKS AGAIN TO JEREMY FOR THE VARIOUS RULES AND THE
EXPLANATION OF FTP METHODOLOGY, WITHOUT WHICH WE WOULD HAVE
GOTTEN STUCK WITH THE 49152:65535 PORT RANGE REQUIREMENTS.

REGARDS,

MIKE