pftpx + pf issue

Andrei Manescu - Ivorde andrei.manescu at ivorde.ro
Tue Jul 14 10:47:20 UTC 2009 

Hello.

I'm trying to setup an ftp-proxy (pftpx) with PF.

I have set up the nat anchors and rdr in pf.conf.

My setup:

+-------------+
| INTERNET |
+-------------+
|
|
|
+-------------+
| PF |
| pftpx |
+-------------+
|
|
|
+-------------+
| PRFTPD |
+-------------+


The client in internet: 52.125.11.51
PF External IP address: 81.157.22.26
FTP Server: 192.168.1.10


The rules in pf added by pftpx:
# pfctl -v -a `pfctl -sA -v | grep -v "pftpx$"` -sr; pfctl -vvv -a `pfctl -sA -v | grep -v "pftpx$"` -sn
pass in log quick inet proto tcp from 52.125.11.51 to 192.168.1.10 port = 65186 flags S/FSRA keep state (max 1)
[ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ]
pass out log quick inet proto tcp from 192.168.1.10 to 192.168.1.10 port = 65186 flags S/FSRA keep state (max 1)
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@0 nat inet proto tcp from 52.125.11.51 to 192.168.1.10 port = 65186 -> 192.168.1.10
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
@0 rdr inet proto tcp from 52.125.11.51 to 81.157.22.26 port = 53266 -> 192.168.1.10 port 65186
[ Evaluations: 3 Packets: 2 Bytes: 80 States: 1 ]

Proftpd ouput:
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_tls
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_rewrite
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'EPSV' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching CMD command 'EPSV' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - in dir_check_full(): path = '/', fullpath = '/usr/home/www/test_dir/'.
domain.com (192.168.1.10[192.168.1.10]) - ROOT PRIVS at inet.c:237
domain.com (192.168.1.10[192.168.1.10]) - RELINQUISH PRIVS at inet.c:254
domain.com (192.168.1.10[192.168.1.10]) - Entering Extended Passive Mode (|||65186|)
domain.com (192.168.1.10[192.168.1.10]) - dispatching POST_CMD command 'EPSV' to mod_sql
domain.com (192.168.1.10[192.168.1.10]) - dispatching LOG_CMD command 'EPSV' to mod_sql
domain.com (192.168.1.10[192.168.1.10]) - dispatching LOG_CMD command 'EPSV' to mod_log
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_tls
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_rewrite
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_core
domain.com (192.168.1.10[192.168.1.10]) - dispatching PRE_CMD command 'LIST' to mod_ratio
domain.com (192.168.1.10[192.168.1.10]) - dispatching CMD command 'LIST' to mod_ls
domain.com (192.168.1.10[192.168.1.10]) - SECURITY VIOLATION: Passive connection from 52.125.11.51 rejected.

FTP Client:
230 User test_user logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||53266|)
421 Service not available, remote server has closed connection.
ftp>
ftp> ^D


PFTPX output:
#1 server: 230 User test_user logged in\r\n
#1 client: SYST\r\n
#1 server: 215 UNIX Type: L8\r\n
#1 client: FEAT\r\n
#1 server: 211-Featuresn
#1 server: MDTM\n
#1 server: MFMT\n
#1 server: MFF modify;UNIX.group;UNIX.mode;\n
#1 server: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX .mode*;UNIX.owner*;\n
#1 server: REST STREAM\n
#1 server: SIZE\r\n
#1 server: 211 End\r\n
#1 client: PWD\r\n
#1 server: 257 "/" is the current directory\r\n
#1 client: EPSV\r\n
#1 server: 229 Entering Extended Passive Mode (|||65186|)\r\n
#1 passive: client to server port 65186 via port 53266
#1 proxy: 229 Entering Extended Passive Mode (|||53266|)\r\n
#1 client: LIST\r\n
^Cpftpx exiting on signal 2
#1 ending session


As you can see, pftpx adds correct rules in PF, but the client's IP (52.125.11.51) isn't nated (proftpd complains: Passive connection from 52.125.11.51 rejected). The packets from the client are
being redirected to ftp server, but the nat rule isn't applied to them.



First part of my pf.conf:
ext_if1="xl0"   # replace with actual external interface name i.e., dc0
int_if1="dc0"   # replace with actual internal interface name i.e., dc1

WEB_HOST="192.168.1.10"
SMTP_HOST="192.168.1.11"

internal_net1="192.168.1.0/24"
external_addr1="81.157.22.26"
icmp_types="echoreq"


set optimization normal
set block-policy drop
set state-policy if-bound
set skip on lo0

scrub all reassemble tcp
scrub in all fragment reassemble
scrub out all random-id


nat-anchor "pftpx/*"
rdr on {$ext_if1,$int_if1} proto tcp from any to {$ext_adr1, $ext_adr2, $external_addr1} port 80        -> 192.168.1.10 port 80
rdr on $ext_if1 proto tcp from any to {$ext_adr1, $external_addr1} port 6122            -> 192.168.1.10 port 22
rdr on $ext_if1 proto tcp from any to {$ext_adr1, $external_addr1} port 6123            -> 192.168.1.11 port 22
rdr on $ext_if1 proto tcp from any to {$ext_adr1, $external_addr1} port 25              -> 192.168.1.11
rdr on $ext_if1 proto tcp from any to {$ext_adr1, $external_addr1} port 993             -> 192.168.1.11
rdr on {$ext_if1,$int_if1} proto tcp from any to {$ext_adr1, $external_addr1} port 443          -> 192.168.1.11
rdr on $ext_if1 proto tcp from any to {$ext_adr1, $external_addr1} port 33890           -> 192.168.1.1 port 33890
rdr-anchor "pftpx/*"
rdr pass on $ext_if1 proto tcp from any to $external_addr1 port 21 -> $external_addr1 port 8021
nat on $ext_if1 inet from $internal_net1 to any -> $ext_if1


block drop log-all all
block drop in log quick from <bruteforce>
block drop in log quick from <permanentban>

block drop in log quick from any os {SCO, NMAP} to any

pass out quick on $gre_if from any to 192.168.25.0/24 flags S/SA keep state queue ssh
pass in quick on $gre_if from 192.168.25.0/24 to any flags S/SA keep state queue ssh


block drop in log quick proto tcp from any to any flags FUP/FUP
block drop in log quick proto tcp from any to any flags SAFRPU/SAFRPU
block drop in log quick proto tcp from any to any flags SAFRU/SAFRU
block drop in log quick proto tcp from any to any flags SF/SF
block drop in log-all quick proto tcp from any to any flags SR/SR
block drop in log-all quick proto tcp from any to any flags SF/SFRA
block drop in log-all quick proto tcp from any to any flags /SFRA


antispoof log quick for $ext_if1 inet
antispoof log quick for lo0 inet

Any hints on why the nat rule added by pftpx isn't evaluated even ([ Evaluations: 0)?

More information about the freebsd-pf mailing list