NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2004-11

Re: pf, ftp-proxy, default deny, 421 Service not avaiable

From: Chris Zakelj (c.zakeljieee.org)
Date: Mon Nov 01 2004 - 17:01:32 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Craig Skinner wrote:

>On Mon, 2004-11-01 at 20:23, Chris Zakelj wrote:
>
>
>>no. go read http://www.openbsd.org/faq/pf/ftp.html again.
>>
>>
>My interpretation of "With passive mode FTP, the client requests that
>the server pick a random port to listen on for the data connection. The
>server informs the client of the port it has chosen, and the client
>connects to this port to transfer the data." is:-
>
>client opens a local port > 1023 to server's port 21
>server responds on same channel
>client opens a local port > 1023 to server's port > 1023 as negotiated
>in the previous step.
>
>
yes

>so....
>
>
># Redirect client's command channel to server's port 21 to ftp-proxy
>rdr pass on $int_if inet proto tcp to port ftp -> 127.0.0.1 port 8021
>
>
yes (sorta, PF's gonna bitch about the syntax)

># Allow ftp-proxy to connect to the server's port 21 on behalf of client
>pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
> to any port ftp modulate state
>
>
I suppose, but why do you keep using 'port >1023'? The system's going
to do that anyway.

># Allow the client in to us from a high port to connect
># to the server's data channel high port
>pass in log on $int_if inet proto tcp from $int_fw port > 1023 \
> to any port > 1023 modulate state
>
>
No.

># Allow the client out from us from a high port to connect
># to the server's data channel high port
>pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
> to any port > 1023 modulate state
>
>
If you're trying to only allow ftp access, this entirely defeats the
purpose of your first rule.

>I think I must be interpreting the docs in a different way to what they
>were intended to be.
>
You're trying to reinvent the wheel when the FAQ tells you exactly what
to do.

If you want more hand-holding, I'll be happy to do it for $100/hr and
pizza+beer.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]