# PF Nat & pure-ftpd never worked.



## bryn1u (Nov 4, 2017)

Hello guys,

I can't resolve problem with Nat and PF. I always getting some issue. I tried almost everything, with ftp-proxy and without ftp-proxy, with opened passive range ports but it never worked. Someone can tell my what am i doing wrong ?


```
################################################
### Firewall PF Rules FreeBSD/HardenedBSD 11 ###

IP_PUB="79.137.56.144"
IP_JAIL="192.168.0.1"
NET_JAIL="192.168.0.0/24"
PORT_JAIL="{ 20,21 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

### connected to internet
ext_if = "em0"

######################################
### Stateful Tracking Options (STO) ##
######################################

################################
### Queues, States and Types ###
################################

 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 synstate ="flags S/UAPRSF synproxy state"
 tcpstate ="flags S/UAPRSF modulate state"
 udpstate ="keep state"

################
### Tables #####
################

 table <blocktemp> counters
 table <bruteforce> persist file "/etc/bruteforce"
 table <spamd-white> persist

######################

 set skip on lo
 set debug urgent
 set ruleset-optimization none

##########################
## ### Timeout Options ###
##########################

 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

###################################
### Traffic Normalization    ### 
######################################################################################

scrub in on $ext_if all random-id fragment reassemble

#################
### FTP-Proxy ###
#################

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

###########################
##   Queueing Rules      ##
###########################
###############################################
### NAT and Redirection rules are first match #
###############################################

nat on em0 from $NET_JAIL to any -> $IP_PUB static-port
rdr on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

###########################
# DENY rouge redirection###
###########################

 no rdr

###########################
##   Packet Filtering    ##
###########################

block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"

#######################
# enable antispoofing #
#######################

antispoof log quick for $ext_if inet label "antispoof rule"

# block all if no back routes
block in log quick from no-route to any label "no-route rule"

# block all if reverse fails (probably spoofed)
block in log quick from urpf-failed to any label "reverse lookup failed rule (probably spoofed)"

# drop broadcast requests quietly
block in log quick on $ext_if from any to 255.255.255.255

#####################################################
# Block os-fingerprinting probes               ##
# F=FIN,S=SYN,R=RST,P=PUSH,A=ACK,U=URG,E=ECE,W=CWR ##
#####################################################

block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF
block in log quick on $ext_if proto tcp flags FUP/FUP
block in log quick on $ext_if from any os "NMAP" to any label "NMAP scan block rule"

##################################################################
# keep state on any outbound tcp, udp, or icmp traffic         #
# modulate the isn (initial sequence number) of outgoing packets #
##################################################################

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

######################
#### FTP-Proxy #######
######################

anchor "ftp-proxy/*"

################################
# Block all ips              ##
# pfctl -t blockedip -T show  ##
################################

 block drop in log (all)  quick on $ext_if from <bruteforce> to any
 block drop out log (all) quick on $ext_if from any to <bruteforce>

#### TCP ###
 pass in on $ext_if proto tcp from any to any port 22   $tcpstate $stossh
 pass in on $ext_if proto tcp from any to any port 80   $tcpstate $stowww

#### UDP ###
 pass in on $ext_if proto udp from any to any port { 53, 9987 } $udpstate

# pass for jail ports
# pass in on $ext_if proto tcp from any to $IP_JAIL port {20,21} $tcpstate
```

Im getting message in filezilla like "can't be routed". I check in tcpdump. I have connection from me to server listen on port 21 but never get back from server to me. I really stop understanding it. 
pure-ftpd is in jail 192.168.0.1 and listen on 192.168.0.1:21


----------



## SirDice (Nov 6, 2017)

A good explanation regarding passive vs. active FTP: http://slacksite.com/other/ftp.html

I would suggest forgetting about FTP and use SFTP instead. It works just like FTP but uses SSH to tunnel the protocol. Much safer as it uses better authentication and the traffic is encrypted. It also only requires access to port 22, no other ports are needed and thus don't suffer from the dynamic nature of the FTP data channel. Lots of GUI applications for Windows or OS-X can also use SFTP instead of FTP (making it pretty much a drop-in replacement).


----------



## ab2k (Nov 6, 2017)

Hi, 

FTP relies not only on port 21 (ftp), it also using port 20 (ftp-data) which you forgot to redirect. Also I would suggest you to setup passive ports in /usr/local/etc/pure-ftpd.conf like this:


```
PassivePortRange             59547 59997
```

And to sum it up - here is a PF rule for /etc/pf.conf (remove all that anchor things, just use this rule)


```
rdr pass on em0 proto tcp from any to em0 port { ftp, ftp-data, 59547:59977 } -> 192.168.0.1
```

Hope it will help you.


----------



## bryn1u (Nov 9, 2017)

ab2k said:


> Hi,
> 
> FTP relies not only on port 21 (ftp), it also using port 20 (ftp-data) which you forgot to redirect. Also I would suggest you to setup passive ports in /usr/local/etc/pure-ftpd.conf like this:
> 
> ...




```
################################################
### Firewall PF Rules FreeBSD/HardenedBSD 11 ###

IP_PUB="79.137.56.144"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

### connected to internet
ext_if = "em0"

######################################
### Stateful Tracking Options (STO) ##
######################################

################################
### Queues, States and Types ###
################################

 IcmpPing ="icmp-type 8 code 0"
 SshQueue ="(ssh_bulk, ssh_login)"
 synstate ="flags S/UAPRSF synproxy state"
 tcpstate ="flags S/UAPRSF modulate state"
 udpstate ="keep state"

################
### Tables #####
################

 table <blocktemp> counters
 table <bruteforce> persist file "/etc/bruteforce"
 table <spamd-white> persist

######################

 set skip on lo
 set debug urgent
 set ruleset-optimization none

##########################
## ### Timeout Options ###
##########################

 set optimization normal
 set timeout { tcp.closing 60, tcp.established 7200}

###################################
### Traffic Normalization    ###
######################################################################################

scrub in on $ext_if all random-id fragment reassemble

#################
### FTP-Proxy ###
#################

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

###########################
# DENY rouge redirection###
###########################

 no rdr

###########################
##   Packet Filtering    ##
###########################

block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"

#######################
# enable antispoofing #
#######################

antispoof log quick for $ext_if inet label "antispoof rule"

##################################################################
# keep state on any outbound tcp, udp, or icmp traffic         #
# modulate the isn (initial sequence number) of outgoing packets #
##################################################################

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

######################
#### FTP-Proxy #######
######################

anchor "ftp-proxy/*"

################################
# Block all ips              ##
# pfctl -t blockedip -T show  ##
################################

 block drop in log (all)  quick on $ext_if from <bruteforce> to any
 block drop out log (all) quick on $ext_if from any to <bruteforce>

#### TCP ###
 pass in on $ext_if proto tcp from any to any port 22   $tcpstate $stossh
 pass in on $ext_if proto tcp from any to any port 80   $tcpstate $stowww

#### UDP ###
 pass in on $ext_if proto udp from any to any port { 53, 9987 } $udpstate

# pass for jail ports
```

I bought additionally IP and configured to a jail. Since now i have a active connection, not passive. I removed NAT and rdr section, instead i left section with anchor and ftp-proxy. Could you help explain what should i do to work it ?


----------

