# Ftp trap with pf



## Orige (May 18, 2010)

Hi all ...

I want to build a ftp-server in my firewall server. I Used pure-ftp, proftp and nothing.
Probaly, the problem is in pf.conf.

My env Have FTP_PASSIVE_MODE = YES, and the ftp-proxy is configured for port 8021.
The access for this FTP firewall on in my local network works fine But in external network, can not authenticate the user.

My pf.conf.:


```
[root@server /etc]# cat /etc/pf.conf_edit  
tcp_services = "{ ssh, smtp, domain, www, https, ntp, 43}"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

#Interfaces  
ext_if = "bge0" # Internet
int_if = "bge1" # vpn / lan

#FTP   
proxy="127.0.0.1" # ftp proxy IP
proxyport="8021" # ftp proxy port

#IPS
voip="192.168.1.2"
servidor_win="192.168.1.3"
note_regi="192.168.1.4"
assistencia="192.168.1.5"
jairo="192.168.1.6"
suporte3="192.168.1.10"			#Daniel
suporte4="192.168.1.11"			#Fabiano
suporte5="192.168.1.8"			#Call
suporte6="192.168.1.7"			#Jonas
suporte7="192.168.1.13"			#Regina
suporte8="192.168.1.15"			#Vazio
desenvolvimento="192.168.1.14"		#Jeser

# Servicos
postgres="5432"
vnc="5500"
radmin="4899"
    
#### Normalization
scrub in all
          
#### NAT and RDR
# NAT
nat on $ext_if from !($ext_if)->($ext_if:0)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
	        
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport

		 
# Servidores e VOIP
rdr pass on $ext_if proto tcp from any to any port 5060 -> $voip port 5060
rdr pass on $ext_if proto tcp from any to any port 5061 -> $voip port 5061
rdr pass on $ext_if proto tcp from any to any port 4899 -> $servidor_win port $radmin
rdr pass on $ext_if proto tcp from any to any port 3389 -> $servidor_win port 3389
rdr pass on $ext_if proto tcp from any to any port 5432 -> $servidor_win port 5432

# Assistencia
rdr pass on $ext_if proto tcp from any to any port 5500 -> $assistencia port $vnc

# Suporte
rdr pass on $ext_if proto tcp from any to any port 4898 -> $note_regi port $radmin
rdr pass on $ext_if proto tcp from any to any port 5501 -> $note_regi port $vnc
rdr pass on $ext_if proto tcp from any to any port 4897 -> $jairo port $radmin
rdr pass on $ext_if proto tcp from any to any port 5502 -> $jairo port $vnc
rdr pass on $ext_if proto tcp from any to any port 1723 -> $jairo port 1723
rdr pass on $ext_if proto tcp from any to any port 5503 -> $suporte3 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5506 -> $suporte4 port $vnc
rdr pass on $ext_if proto tcp from any to any port 4895 -> $suporte4 port $radmin
rdr pass on $ext_if proto tcp from any to any port 5504 -> $suporte5 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5505 -> $suporte6 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5507 -> $suporte7 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5509 -> $suporte8 port $vnc
rdr pass on $ext_if proto tcp from any to any port 5508 -> $desenvolvimento port $vnc

		       
#### Start filtering
# Drop incoming everything
#block in all
pass in all               
# Default connection refused message to client
block return  

# keep stats of outging connections
pass out keep state
			        
#Squid
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out quick on $ext_if inet proto { tcp, udp } from any to any port www keep state

# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass in on $ext_if proto tcp from any to 127.0.0.1 port 21 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to 127.0.0.1 port > 49151 keep state

# Unlimited traffic for lo0 and VPN/Lan interface
set skip on {lo0, $int_if}
				   
# activate spoofing protection for all interfaces
block in quick from urpf-failed
				      
# Antispoof is a common special case of filtering and blocking. This mechanism protects #against activity from spoofed or forged IP addresses
antispoof log for $ext_if
				          
#Block RFC 1918 addresses
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
					     
# Allow outgoing via ssh, smtp, domain, www, https, whois etc
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
					           
# Allow outgoing Trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

# Allow incomming named udp / tcp 53
pass in on $ext_if proto udp from any to any port 53 keep state
# All tcp service protected using synproxy
pass in on $ext_if proto tcp from any to any port 53 flags S/SA synproxy state
# Allow http traffic
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy state
# SSH
pass in on $ext_if proto tcp from any to any port 22 flags S/SA synproxy state
# Allow ICMP ping
pass inet proto icmp all icmp-type $icmp_types keep state
```

My inetd.conf.:

```
ftp	stream	tcp	nowait	root	/usr/libexec/ftpd	ftpd -l -l
```

When I try to access ftp from external network.: 

```
ftp ftp.storec.ddns.com.br
Connected to ftp.storec.ddns.com.br.
220 Ftp firmware update utility
Name (ftp.storec.ddns.com.br:root): ftp
331 Password please.
Password:
421 Login incorrect.
ftp: Login failed.
```

When I try to access ftp from local network.:


```
ftp 192.168.1.1
Connected to 192.168.1.1.
220 server.store FTP server (Version 6.00LS) ready.
Name (192.168.1.1:root): ftp
331 Guest login ok, send your email address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
```

Sorry for my bad english.

Thanks a lot

Eduardo Orige


----------



## SirDice (May 19, 2010)

http://www.openbsd.org/faq/pf/ftp.html


----------



## Orige (May 19, 2010)

SirDice..I read and re-read this faq.
I put anchors in pf, rules with nat and nothing.
I tried several combination types of rules and don't worked.

You can put here your pf.conf for a ftp-server?

About the faq, my case is "PF "Self-Protecting" an FTP Server".
So, I added more lines in my pf .:


```
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port 20 keep state
pass in on $ext_if inet proto tcp from any to any port > 49151 keep state
```
Even so, the same error happens.


----------



## FryShadow (May 21, 2010)

have you set this in rc.conf ?


```
ftpproxy_enable="YES"
```


----------



## Orige (May 22, 2010)

Yes.

```
ftpproxy_enable="YES"
```
 and 
	
	



```
ftpproxy_flags=""
```


----------



## Orige (Jun 9, 2010)

*Solved*

There have was one problem.

First, the router that authenticates the Internet is completely open so I thought the problem is in my pf because everything is just open and just my server it has rules. I concentrated only on the firewall.
I was wrong.
I discovered that my router does not accept incoming connections by default to port 21, connections that were trying to pass him failed.

Ok

So I opened another door, 2121, and tried to make the connection.
All right now.

I did not need to use any kind of proxy (ftp-proxy) and anchors.
Thanks to everyone who tried to help me.


----------

