passive mode ftp pf.conf OpenBSD 5.6 i386

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

passive mode ftp pf.conf OpenBSD 5.6 i386

mottycruz
Hello, I am trying to configure pf.conf (OpenBSD 5.6) to allow clients
to access ftp server using passive mode on my internal network.

network consist of a DSL modem with public IP 1.2.3.4 on the outside and
10.1.10.1 on the inside network. However, the dsl modem does not provide
any security, therefore I build a firewall using OpenBSD with one
10.1.10.8 and internal LAN 192.168.8.1.

my ftp server is 192.168.8.17. I can access my ftp server from any
public network, however, when I use pasive command FTP server does not
respond. I enabled ftp-proxy (please see relevant information below). I
suspend because of the internal network does not match public IP. Please
advise on how to resolve this issue.

relevant information of pf.conf file.

Thanks in advance,
_Motty

Reply | Threaded
Open this post in threaded view
|

Re: passive mode ftp pf.conf OpenBSD 5.6 i386

Giancarlo Razzolini-3
Em 22-10-2015 19:49, Motty escreveu:
> I am trying to configure pf.conf (OpenBSD 5.6)

I know it is a beaten and old argument, but please upgrade your OpenBSD.
5.6 isn't supported anymore. That being said, I don't think your problem
has anything to do with your OpenBSD version.

> when I use pasive command FTP server does not
> respond. I enabled ftp-proxy (please see relevant information below)

You need to configure your ftp-proxy server as a reverse proxy. I
believe you attached the information, but this list uses demime, so
you'll need to paste the information as text here. Without it, it's
difficult to help you.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: passive mode ftp pf.conf OpenBSD 5.6 i386

mottycruz
Thank you very much for your reply! I did configured ftp proxy as reverse:

/usr/sbin/ftp-proxy -p 8021 -R 192.168.8.17 -P 21 -D7 -v


Pf.conf
ext="bnx0"
int="bnx1"
ext_net="10.1.10.0/24"
web_server="192.168.8.17"
sap_server="192.168.8.10"
mail_server="192.168.8.22"

# Default block all
block in all

#**** loop interface **#
set skip on lo

#****************ENABLE NAT *********************#
match out on $ext from 192.168.8.0/24 to any nat-to 10.1.10.8

### RULES FOR FTP
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to
$web_server port ftp

### ICMP RULES
pass in on $ext inet proto icmp all keep state
pass out on $ext inet proto icmp all keep state

## PASS OUT ALL
pass in on $int
pass out on $int
pass out on $ext
pass out keep state
pass out all

The error I get:
Response:    200 Type set to I.
Command:    PASV
Response:    227 Entering Passive Mode (1,2,3,4,228,236)
Command:    LIST
Error:    Connection timed out
Error:    Failed to retrieve directory listing

please advise!

Thanks,
_Motty
On 10/23/2015 06:44 AM, Giancarlo Razzolini wrote:

> Em 22-10-2015 19:49, Motty escreveu:
>> I am trying to configure pf.conf (OpenBSD 5.6)
> I know it is a beaten and old argument, but please upgrade your OpenBSD.
> 5.6 isn't supported anymore. That being said, I don't think your problem
> has anything to do with your OpenBSD version.
>
>> when I use pasive command FTP server does not
>> respond. I enabled ftp-proxy (please see relevant information below)
> You need to configure your ftp-proxy server as a reverse proxy. I
> believe you attached the information, but this list uses demime, so
> you'll need to paste the information as text here. Without it, it's
> difficult to help you.
>
> Cheers,
> Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: passive mode ftp pf.conf OpenBSD 5.6 i386

Giancarlo Razzolini-3
Em 23-10-2015 12:58, Motty escreveu:
> ### RULES FOR FTP
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to
> $web_server port ftp
I believe you need a nat instead of rdr. From ftp-proxy(8) man page:

         In case of passive mode (PASV or EPSV):

       pass in from $client to $orig_server port $proxy_port \
           rdr-to $server port $port
       pass out from $client to $server port $port nat-to $proxy

p.s.: Please let FTP run its course and die! I beg you. Every time an
admin starts a ftp server, a puppy dies. Consider using SSH. Or, if you
must, DAV.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: passive mode ftp pf.conf OpenBSD 5.6 i386

mottycruz
Thank you very much!

### RULES FOR FTP

anchor "ftp-proxy/*"

pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

pass out inet proto tcp from $ext to any port ftp

worked for me!

On 10/23/2015 11:09 AM, Giancarlo Razzolini wrote:

> Em 23-10-2015 12:58, Motty escreveu:
>> ### RULES FOR FTP
>> anchor "ftp-proxy/*"
>> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>> pass in quick on $ext proto tcp from any to 10.1.10.8 port ftp rdr-to
>> $web_server port ftp
> I believe you need a nat instead of rdr. From ftp-proxy(8) man page:
>
>          In case of passive mode (PASV or EPSV):
>
>        pass in from $client to $orig_server port $proxy_port \
>            rdr-to $server port $port
>        pass out from $client to $server port $port nat-to $proxy
>
> p.s.: Please let FTP run its course and die! I beg you. Every time an
> admin starts a ftp server, a puppy dies. Consider using SSH. Or, if
> you must, DAV.
>
> Cheers,
> Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: passive mode ftp pf.conf OpenBSD 5.6 i386

Marcus MERIGHI
In reply to this post by Giancarlo Razzolini-3
[hidden email] (Giancarlo Razzolini), 2015.10.23 (Fri) 20:09 (CEST):
> p.s.: Please let FTP run its course and die! I beg you. Every time an
> admin starts a ftp server, a puppy dies. Consider using SSH. Or, if you
> must, DAV.

Giancarlo, do you know of any software that does DAV the way ftpds do
FTP?
I've been looking for options recently and was baffled about the lack
thereof.

DAV service is usually built into a HTTPd (apache2, nginx, lighttpd)
as a module. The server runs as non-root user (fortunately).
No way to setuid to the user that just entered username/password.

Additionally, HTTPds hopefully run chrooted. Not much room for separate
user spaces.

I'm afraid there is no real (Web)DAVd.
(Apart from davenport, which is tomcat+davenport+samba. wow.)

Bye (and thanks in advance), Marcus

> !DSPAM:562a7929263863582710418!

Reply | Threaded
Open this post in threaded view
|

Re: passive mode ftp pf.conf OpenBSD 5.6 i386

Giancarlo Razzolini-3
Em 28-10-2015 08:08, Marcus MERIGHI escreveu:
> Giancarlo, do you know of any software that does DAV the way ftpds do
> FTP?

No, I don't. I mentioned DAV for the simpler setups.

> I've been looking for options recently and was baffled about the lack
> thereof.

Nginx has a simple module, apache has a full solution, don't know about
lighthttpd.

>
> DAV service is usually built into a HTTPd (apache2, nginx, lighttpd)
> as a module. The server runs as non-root user (fortunately).
> No way to setuid to the user that just entered username/password.

Do you really need to setuid things to the user?

>
> Additionally, HTTPds hopefully run chrooted. Not much room for separate
> user spaces.
>
> I'm afraid there is no real (Web)DAVd.
> (Apart from davenport, which is tomcat+davenport+samba. wow.)
>
> Bye (and thanks in advance), Marcus

Don't try to implement the same thing ftp does on top of other
protocols. That being said, using OpenSSH you can have everything ftp
has even better. You can even chroot every user to his/her home. With
the benefit of, you know, talking ssh protocol, instead of ftp.

Cheers,
Giancarlo Razzolini