# PF with incoming FTP connections



## bloodhound (Jul 13, 2009)

Hello,

I have a serious problem with the FTP server. 

Basically my connection is:


```
Public ip Firewall -> Public Ip FTP SERVER (DMZ)
       |
       |
Local Lan Private ip
```

From my local lan i can go to the FTP server, but from outside of my network i cannot 

On /etc/sysctl.conf i have:


```
net.inet.ip.portrange.first=32768
net.inet.ip.portrange.last=49151
net.inet.ip.portrange.hifirst=49152
net.inet.ip.portrange.hilast=65535
```


This is a very small fragment of my pf.conf:

```
tcp_services = "{www, smtp, domain, pop3, auth, https, pop3s, ftp, ftp-data, 1863, 5000, 5050, 5100, 5222, ssh, 2703, 465, 587}"

tcp_wan1 = "{auth, www, domain, pop3, https, pop3s, 5000, 465, 10000, 587, 993 }"

block in log all
antispoof quick for {$if_int $if_ext}



# Firewall -> Any (Outgoing). 

#pass out quick proto tcp from any to any flags S/SAFR keep state
pass out quick from any to any keep state

FTP = my ftp server
pass in quick on $if_ext proto tcp from any to $FTP port $tcp_wan1 flags S/SAFR keep state
pass in quick on $if_ext proto tcp from any to $FTP port 21 flags S/SAFR keep state
pass in quick on $if_ext proto tcp from any to $FTP port > 32768 flags S/SAFR keep state

pass in quick on $if_pub proto tcp from any to any port $tcp_services flags S/SAFR keep state
```

If anyone could help me with the insane FTP would be greatly appreciated.


----------



## SirDice (Jul 13, 2009)

Have a read here: http://www.openbsd.org/faq/pf/ftp.html


----------



## bloodhound (Jul 13, 2009)

But i don't use nat, plus i think i already tried that too. 

I have pftpx for proxy to outside


----------



## SirDice (Jul 13, 2009)

Even if you don't use NAT FTP uses random ports for the data transfer. This is somewhat difficult to firewall.


----------



## aragon (Jul 14, 2009)

Surely ftp-proxy(8) with the right arguments should work in reverse?


----------



## bloodhound (Jul 14, 2009)

I tried the lines from Openbsd... at the moment i don't know if it is working, since i only tested it from a network and it was working from there. 

But after i added the rules, clients were not able to connect to outside FTP. 

Do i have to run 2 ftp-proxy processes ? 1 with the flags and 1 with a redirect to 127.0.0.1 21 ?


----------



## aragon (Jul 16, 2009)

bloodhound said:
			
		

> But after i added the rules, clients were not able to connect to outside FTP.
> 
> Do i have to run 2 ftp-proxy processes ? 1 with the flags and 1 with a redirect to 127.0.0.1 21 ?


You will need two ftp-proxy instances, yes.


----------



## bloodhound (Jul 17, 2009)

I must be doing something wrong... 

since i use this from openbsd (with my ip's ofc):


```
ftpproxy_flags="-R 10.10.10.1 -p 21 -b 192.168.0.1" 
ext_ip = "192.168.0.1"
ftp_ip = "10.10.10.1"

nat-anchor "ftp-proxy/*"
nat on $ext_if inet from $int_if -> ($ext_if)
rdr-anchor "ftp-proxy/*"

pass in on $ext_if inet proto tcp to $ext_ip port 21 \
    flags S/SA keep state
pass out on $int_if inet proto tcp to $ftp_ip port 21 \
    user proxy flags S/SA keep state
anchor "ftp-proxy/*"
```

The Ftp is not working at all from outside , at least before i had some connections.


----------

