# FTP with IPF BUG?



## MichaelF (Oct 10, 2011)

Hello all,

Please help me to investigate ipf problem. 

I've set up my FreeBSD 8.2 64-bit firewall strictly according to the FreeBSD tutorial found here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html

Now my /etc/ipnat.rules looks like


```
map re0 10.3.0.0/16->0/32 proxy port 21 ftp/tcp
map re0 10.3.0.0/16->0/32 portmap tcp/udp auto
map re0 10.3.0.0/16->0/32
```

...and I have these lines in my ipf.rules file:


```
# Allow out gateway & LAN users' non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state
```

This firewall works great with the exception of the ftp protocol: anyone can use active or passive ftp-mode from the local net behind FreeBSD firewall but it's not possible to use at least passive ftp mode on the firewall itself (so I can't install programs from ports)! 

Using ftp and tcpdump utilities I checked ftp session with 'tcp ftp.freebsd.org' step by step and found out that after switching to ftp passive mode my firewall times out making data-connection from >1024 port to >1024 server side port. This does not happen when making connections from the LAN behind the firewall.

Should I comment out ipfilter and ipmon lines in rc.conf the problem dissapears.

But according to "Allow out gateway & LAN users' non-secure FTP (both passive & active modes)" the gateway itself should have both passive and active mode ftp acceess enabled by the single line in ipf.rules and the single line in ipnat.rules.

So is it IPFilter malfunction or do I misunderstand anything?


----------



## SirDice (Oct 10, 2011)

Keep in mind that FTP uses, besides the command connection (port 21), a data connection from/to a random port (depending on passive or active mode).


----------



## MichaelF (Oct 11, 2011)

Yes, I know, but this "data connection from/to a random port" is created successfully from the clients on local net. Why is it not created on the gateway itself? It is the sole rule in ipf.rules that rules both gateway and local net ftp access. 

Seems this rule is sufficient for local net behind firewall but not sufficient for firewall itself...


----------



## SirDice (Oct 11, 2011)

Can you post the full firewall config? I have a feeling it's in there somewhere.


----------



## MichaelF (Oct 12, 2011)

Yes, of course! It's almost the same as discussed here: http://forums.freebsd.org/showthread.php?p=150185#post150185


```
#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN
#################################################################

pass out quick on xl0 all
pass in quick on xl0 all

#################################################################
# No restrictions on Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all

#################################################################
# Interface facing Public Internet (Outbound Section)
# Match session start requests originating from behind the
# firewall on the private network
# or from this gateway server destined for the public Internet.
#################################################################

# Allow out access to my ISP's Domain name server.
# xxx must be the IP address of your ISP's DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
pass out quick on dc0 proto tcp from any to xxx port = 53 flags S keep state
pass out quick on dc0 proto udp from any to any port = 53 keep state

# Allow out non-secure standard www function
pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state

# Allow out secure www function https over TLS SSL
pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state

# Allow out send & get email function
pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state
pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state

# Allow out Time
pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state

# Allow out gateway & LAN users' non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state

# Allow out ssh/sftp/scp (telnet/rlogin/FTP replacements)
# This function is using SSH (secure shell)
pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state

# Allow out insecure Telnet
pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state

# Allow out FreeBSD CVSup
pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state

# Allow out ping to public Internet
pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state

# Block and log only the first occurrence of everything
# else that's trying to get out.
# This rule implements the default block
block out log first quick on dc0 all

#################################################################
# Interface facing Public Internet (Inbound Section)
# Match packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################

# Block all inbound traffic from non-routable or reserved address spaces
block in quick on dc0 from 192.168.0.0/16 to any    #RFC 1918 private IP
block in quick on dc0 from 172.16.0.0/12 to any     #RFC 1918 private IP
block in quick on dc0 from 10.0.0.0/8 to any        #RFC 1918 private IP
block in quick on dc0 from 127.0.0.0/8 to any       #loopback
block in quick on dc0 from 0.0.0.0/8 to any         #loopback
block in quick on dc0 from 169.254.0.0/16 to any    #DHCP auto-config
block in quick on dc0 from 192.0.2.0/24 to any      #reserved for docs
block in quick on dc0 from 204.152.64.0/23 to any   #Sun cluster interconnect
block in quick on dc0 from 224.0.0.0/3 to any       #Class D & E multicast

##### Block a bunch of different nasty things. ############
# That I do not want to see in the log

# Block frags
block in quick on dc0 all with frags

# Block short tcp packets
block in quick on dc0 proto tcp all with short

# block source routed packets
block in quick on dc0 all with opt lsrr
block in quick on dc0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on dc0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on dc0 all with ipopts

# Block public pings
block in quick on dc0 proto icmp all icmp-type 8

# Block ident
block in quick on dc0 proto tcp from any to any port = 113

# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log first quick on dc0 proto tcp/udp from any to any port = 137
block in log first quick on dc0 proto tcp/udp from any to any port = 138
block in log first quick on dc0 proto tcp/udp from any to any port = 139
block in log first quick on dc0 proto tcp/udp from any to any port = 81

# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence avoids filling up disk with Denial of Service logs.
# This rule implements the default block.
block in log first quick on dc0 all
################### End of rules file #####################################
```
Moreover, if I temporarily add the line 

```
pass out quick on dc0 all
```
 to ipf.rules (to allow passive ftp-data connections from >1024 to >1024 ports) it does not help. The only thing that helps is stopping ipfilter.


----------



## MichaelF (Oct 12, 2011)

Another weird thing with IPFILTER: I needed a rule for non-standart http access (port 8101) so I added this line to ipf.rules file:


```
pass out quick on dc0 proto tcp from any to any port = 8101 flags S keep state
```

It works great. Then I made a test: I removed aforementioned rule and added this one:


```
pass out log first quick on dc0 all
```

The test results are as follows:
1) connections to 8101 port time out 
2) there are not any log (block or pass) entries in /var/log/ipfilter.log

Similar rules for my inside lan and loopback interfaces work great!


```
pass out quick on dc1 all
pass out quick on lo0 all
```


----------



## SirDice (Oct 12, 2011)

There's no rule for the ftp-data connection.



			
				MichaelF said:
			
		

> ...another weird thing with IPFILTER:
> I needed a rule for non-standart http access (port 8101) so I added this line to ipf.rules file:
> 
> ```
> ...


There's no state. Meaning the response will get blocked.


----------



## MichaelF (Oct 12, 2011)

"There's no state. Meaning the response will get blocked. " - it is shame on me - completely fogot it. Thank you very much!

...but ftp problem still remains: ipfilter "ftp-proxy" should handle all ftp connections by means of the single rule.


----------



## SirDice (Oct 12, 2011)

MichaelF said:
			
		

> ...but ftp problem still remains: ipfilter "ftp-proxy" should handle all ftp connections by means of the single rule...


I must be going blind because I see no such line in the config you posted.


----------



## MichaelF (Oct 12, 2011)

Here is the single rule for ftp in ipnat.rules:


```
map dc0 10.3.0.0/16->0/32 proxy port 21 ftp/tcp
```

...and the single rule in ipf.rules:


```
# Allow out gateway & LAN users' non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.

pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state
```


----------



## DutchDaemon (Oct 12, 2011)

MichaelF, start formatting your posts now, thanks.


----------

