# pf, ftp-proxy, nat, and dhcp



## neurosis (Nov 20, 2008)

I am following the instructions shown in this link. 

http://www.openbsd.org/faq/pf/ftp.html#natserver



> Here 10.10.10.1 is the IP address of the actual FTP server, 21 is the port we want ftp-proxy(8) to listen on, and 192.168.0.1 is the address on the firewall that we want the proxy to bind to.



My question is, what do you do if your firewall address is dynamic?


----------



## aragon (Nov 20, 2008)

ftp-proxy is usually called from inetd for each connection.  It should be possible to write a wrapper script that checks the current IP address and then calls ftp-proxy.

When the script exits, use the same exit status from ftp-proxy ($?).

Just a guess.  Let me know if you figure it out.


----------



## neurosis (Nov 20, 2008)

The ftp-proxy I am asking about use inetd. I dont know anything about writing scripts either.   Thanks for the suggestions.


----------



## aragon (Nov 20, 2008)

Try put this into a file called ftp-proxy-wrapper.sh and set it executable:


```
#!/bin/sh

if [ -z "$1" ]; then exit 1; fi

IFACE=$1
ADDRESS=$( ifconfig ${IFACE} |grep "inet " |head -1 |cut -f 1 -d \  )

ftp-proxy -a ${ADDRESS}
exit $?
```

Now call that from inetd:


```
ftp-proxy stream tcp nowait root /usr/local/sbin/ftp-proxy-wrapper.sh ftp-proxy-wrapper.sh tun0
```

Replace 'tun0' with whatever interface you use.

Haven't tested this - good luck.


----------



## aragon (Nov 20, 2008)

I just had a look at the ftp-proxy man page.  It has changed radically since I last used it.  It doesn't use inetd at all anymore, so the above script won't work.  What version of FreeBSD are you running?


----------



## vivek (Nov 20, 2008)

Add it to /etc/rc.conf:


```
ftpproxy_enable="YES"
```

Start it:

```
/etc/rc.d/ftp-proxy start
```

Update pf.conf as provided by openbsd pf docs and restart pf:

```
# /etc/rc.d/pf reload
```

A step by step tutorial:
http://www.cyberciti.biz/faq/freebsd-opebsd-pf-firewall-ftp-configuration/


----------



## neurosis (Nov 20, 2008)

So I followed this tutorial. Ive made myself a test pf.conf for testing proxy only usage. Here is the config. 


```
# cat pf.proxy
ext_if="re0"                                            # The external interface
int_if="rl0"                                            # The internal interface

##Global Options
set loginterface $ext_if
set skip on lo0


## TRAFFIC NORMALIZATION

## QUEUEING RULES

#NAT
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

##Filter rules
block log all

# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass out on $ext_if proto udp from any to any port 53 # <-- need this to resolve addresses

#Make sure SSH to firewall works
pass in quick log on $ext_if inet proto tcp from any to ($ext_if) port 22
```

I tried to connect to ftp.freebsd.org and had no luck. 

I then ran 
	
	



```
tcpdump -e -n -i lo0
```
 and tried to connect to ftp.freebsd.org. There was no traffic redirected to lo0.


I then pinged lo0 so see if it was accepting traffic.


```
]# tcpdump -e -n -i lo0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
10:52:32.998542 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 23493, seq 0, length 64
10:52:32.998569 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 23493, seq 0, length 64
10:52:33.999648 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 23493, seq 1, length 64
10:52:33.999670 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 23493, seq 1, length 64
10:52:35.000644 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 23493, seq 2, length 64
10:52:35.000666 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 23493, seq 2, length 64
10:52:36.001636 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 23493, seq 3, length 64
10:52:36.001658 AF IPv4 (2), length 88: 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 23493, seq 3, length 64
```

So I know that i have traffic going to lo0. 

I then ran 
	
	



```
tcpdump -e -n -i pflog0
```

then tried to connect to ftp.freebsd.org again to make sure that the firewall wasnt blocking. There were no attempts to lo0 blocked. 


I wanted to test this so I changed my rules. I removed 

```
set skip on lo0
```
and reloaded the rules. 

I once again ran tcpdump on lo0 and it showed no traffic when i pinged lo0 as expected. 

I then ran 


```
tcpdump -e -n -i pflog0
```

and pinged lo0 again. 



```
# tcpdump -e -n -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
10:36:48.581290 rule 0/0(match): block out on lo0: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 63940, seq 0, length 64
10:36:49.581973 rule 0/0(match): block out on lo0: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 63940, seq 1, length 64
10:36:50.582966 rule 0/0(match): block out on lo0: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 63940, seq 2, length 64
10:36:51.583956 rule 0/0(match): block out on lo0: 127.0.0.1 > 127.0.0.1: ICMP echo request, id 63940, seq 3, length 64
```

Am I doing something wrong here? I dont think that the proxy is working at all. 

```
]# ps aux |grep ftp-proxy
proxy    48717  0.0  0.2  3104   916  ??  Ss    6:42AM   0:00.10 ftp-proxy
```


```
# sockstat -4 |grep ftp-proxy
proxy    ftp-proxy  48717 3  tcp4   127.0.0.1:8021        *:*
```

I cant see what the problem would be.


----------



## Mel_Flynn (Nov 21, 2008)

The problem is, that you're trying to use ftp-proxy(8) for client connections. However, ftp-proxy is made to be used for *server connections*.


```
+--------------+        +--------------+        +-------------+
+ 192.168.1.10 +   <--- +   Gateway    +  <---  +   Internet  +
+   ftp server +        +   ftp-proxy  +        + ftp client  +
+--------------+        +--------------+        +-------------+
```
That's where ftp proxy is used.
If you simply want to make ftp connections TO the internet, then you don't need to do anything special. This works out of the box, if your nat is set up properly and FTP_PASSIVE_MODE is set on the client machine.


----------



## aragon (Nov 21, 2008)

Mel_Flynn said:
			
		

> The problem is, that you're trying to use ftp-proxy(8) for client connections. However, ftp-proxy is made to be used for *server connections*.


Rubbish.  ftp-proxy can be used in both scenarios.



			
				Mel_Flyn said:
			
		

> If you simply want to make ftp connections TO the internet, then you don't need to do anything special. This works out of the box, if your nat is set up properly and FTP_PASSIVE_MODE is set on the client machine.


The point is to get it working in both data modes...

Neurosis, what version of FreeBSD are you running?


----------



## neurosis (Nov 21, 2008)

aragon said:
			
		

> The point is to get it working in both data modes...
> 
> Neurosis, what version of FreeBSD are you running?



FreeBSD 7.0-RELEASE-p5

I would love to get this connection working for both passive and active. I am indeed running a ftpd in a jail behind the firewall but its proving to be such a pain to get working that I am about to give up. Most of my problems are with my default block all. If i just set a rule for allow all out from the firewall this problem goes away. I am having a problem with both client and ftpd. 




			
				Mel_Flynn said:
			
		

> The problem is, that you're trying to use ftp-proxy(8) for client connections. However, ftp-proxy is made to be used for *server connections*.



I believe that its used for ftp client connections too. I am assuming so that you dont have to open such a huge range of ports for connections.
http://www.openbsd.org/faq/pf/ftp.html#client


----------



## aragon (Nov 21, 2008)

Ok, FreeBSD 7.0 has the new PF so that howto is valid, however I think the author omitted one important detail:

pass out proto tcp from any to any port 21

Try add that to your ruleset...


----------



## neurosis (Nov 21, 2008)

aragon: I did try that earlier today. It gets me a little further but doesnt build the data connection. I used the logs to track down what was going on and basicly I was just starting to create rules as if i werent using the proxy at all. That was when I figured out that the proxy wasnt working for me. Maybe I am trying to use it in a manner that it wasnt meant?

I have a bit of a silly question here. I notice that when I try to make connections to the internet from my lan with the block log all rule, it shows the incoming connection attempts being blocked from the lan pc. When I try to connect to the internet from the jail, rather than showing the incoming connection attempt being blocked as it showed from the lan pc, it just shows the attempt being blocked from going out on the ext_if (it does show the jail ip being blocked from connecting out). This leads me to believe that even though i have the jail ip's alias on the int_if, it treats the jails differently as if they are basicly just the host with a different ip. does anyone have any input on that?

P.S. Sorry if that is hard to understand. I have a hard time articulating my thoughts.


----------



## aragon (Nov 21, 2008)

Try run the proxy with the -D and -d flags so that you can see what it is doing (or not doing).


----------



## neurosis (Nov 21, 2008)

aragon said:
			
		

> Try run the proxy with the -D and -d flags so that you can see what it is doing (or not doing).



Just as I suspected. Its not doing anything. the connection never even attempts to go through the proxy.


----------



## Mel_Flynn (Dec 2, 2008)

make two rules for the rdr, one on $int_if one on $ext_if (two different states).
If that still don't work, change block log all to block in log all, then figure out why the anchors for the outgoing proxy connection aren't created.


----------



## chrcol (May 20, 2009)

guys I am trying to get this to work on freebsd 6.4.

It seems its easier on freebsd 7 as the supplied ftp-proxy runs as a daemon whilst the one with freebsd 6 is called by inetd and doesnt work.

As a workaround I have the pasv ports currently always open in PF but I want to use ftp-proxy instead.


----------

