# proftp + pf .. external don't connected



## Orige (Apr 19, 2010)

Hi all.
I installed proftpd in my server Freebsd 8 amd64 stable with pf.
I setup rules of ftp in pf.conf and inetd too.

My proftpd.conf like this:


```
#
# For more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#
# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName			"FTP StoreComputer"
ServerType			standalone
DefaultServer			on
ScoreboardFile		       /var/run/proftpd/proftpd.scoreboard

# Port 21 is the standard FTP port.
Port				21
# Use IPv6 support by default.
UseIPv6				off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask				022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances			30

CommandBufferSize	512

# Set the user and group under which the server will run.
User				nobody
Group				nogroup

#AuthUserFile /etc/passwd.ftp
RequireValidShell off

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot /usr/ftp

# Normally, we want files to be overwriteable.
AllowOverwrite		on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.

#########################################################################
#                                                                       #
# Uncomment lines with only one # to allow basic anonymous access       #
#                                                                       #
#########################################################################

#<Anonymous /usr/ftp>
#   User			ftp
#   Group			ftp
#</Anonymous>   

  ### We want clients to be able to login with "anonymous" as well as "ftp"
  # UserAlias			anonymous ftp

  ### Limit the maximum number of anonymous logins
  # MaxClients			10

  ### We want 'welcome.msg' displayed at login, and '.message' displayed
  ### in each newly chdired directory.
   DisplayLogin			welcome.msg
  # DisplayFirstChdir		.message

  ### Limit WRITE everywhere in the anonymous chroot
  # <Limit WRITE>
  #   DenyAll
  # </Limit>
#</Anonymous>


#MODULOS
<IfModule mod_auth_pam.c>
    AuthPAM on
</IfModule>


<IfModule mod_quotatab.c>
    QuotaEngine on
    QuotaLog /var/log/ftpd/quota.log

    # For more information on using files for storing the limit and tally
    # table quota data, please see the mod_quotatab_file documentation:
    #
    #   http://www.castaglia.org/proftpd/modules/mod_quotatab_file.html
    #
    <IfModule mod_quotatab_file.c>
      QuotaLimitTable file:/etc/ftpd/ftpquota.limittab
      QuotaTallyTable file:/etc/ftpd/ftpquota.tallytab
    </IfModule>

 </IfModule>
```

and the rule of pf.conf is:

```
pass in quick proto {tcp,udp} from any to any port ftp keep state
```

But with this rules i can't connect to connected my ftp server on remote network.

Somebody have a idea?

Thanks..


----------



## SirDice (Apr 19, 2010)

You also need to open ftp-data. FTP is notoriously tricky to firewall.

http://www.openbsd.org/faq/pf/ftp.html


----------



## Orige (Apr 19, 2010)

ok. Now, my pf.conf like this:


```
nat-anchor "ftp-proxy/*"
nat on $EXTIF from !($EXTIF)->($EXTIF:0)
rdr-anchor "ftp-proxy/*"

rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 21

anchor "ftp-proxy/*"
pass out proto tcp from 127.0.0.1 to any port 21 keep state
```

And still nothing.
What I do wrong?


----------



## SirDice (Apr 19, 2010)

ftp-proxy not running?


----------



## Orige (May 10, 2010)

Yes. It's running..

I installed pure-ftpd and when I active pf, ftp don't work.
The problem is pf but i don't know what I'll do.
I tried all.
My pf.conf.:

```
#
# INTERFACES

ext_if="bge0" #recebe a internet
int_if="bge1" #compartilha..rede interna
vpn_if="tun0" #interface pra vpn

#
# MACROS

#IPS
voip="192.168.1.2"
servidor_win="192.168.1.3"
note_regi="192.168.1.4"

# Servicos
postgres="5432"
vnc="5500"
radmin="4899"

# Log de todo trafico da rede externa
set loginterface $ext_if


#
# OTIMIZACAO 

# Protecao contra buffer overflow e ataques DDOS
set limit { frags 30000, states 25000 }

# Otimizacao do Firewall padrao - Nivel conservador
set optimization conservative

#
# SCRUB

set skip on lo0
scrub in all

#
# NAT
nat on $ext_if from !($ext_if)->($ext_if:0)

#FTP
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#
# REDIRECIONAMENTO

# Problema Ftp

rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# Squid HTTP
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128

# Servidores e VOIP

rdr pass on $ext_if proto tcp from any to any port 5060 -> $voip port 5060
rdr pass on $ext_if proto tcp from any to any port 5061 -> $voip port 5061
rdr pass on $ext_if proto tcp from any to any port 4899 -> $servidor_win port $radmin
rdr pass on $ext_if proto tcp from any to any port 3389 -> $servidor_win port 3389
rdr pass on $ext_if proto tcp from any to any port 5432 -> $servidor_win port 5432

# Assistencia

rdr pass on $ext_if proto tcp from any to any port 5500 -> $assistencia port $vnc

#
#  FILTRAGEM

block log all
block return

pass out all keep state 

# Prevenindo contra hijackers de interface interna e externa
antispoof for $int_if
antispoof for $ext_if

#Squid
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out quick on $ext_if inet proto { tcp, udp } from any to any port www keep state
pass in quick on { lo0 , $int_if } all

# FTP
anchor "ftp-proxy/*"
pass quick proto tcp from $int_if to any port 8021 keep state
pass in on $ext_if proto tcp from any to $ext_if port > 49151 keep state

state
# SSH
pass in on $ext_if inet proto tcp from any to any port ssh keep state
```

Is basically this.
I tried a several ways configurations for pf.conf, a few combinations of rules and nothing.
Some rules:


```
pass on $ext_if proto tcp from any to any port 21 keep state 
pass on $ext_if proto tcp from any to any port 8021 keep state 
pass in on $ext_if proto tcp from any to any port 60000 >< 60500 keep state 
pass out quick proto tcp from any to any port ftp keep state 
pass out quick proto tcp from any to any port 8021 keep state 
pass in quick proto tcp from any to any port ftp keep state 
pass quick proto {tcp,udp} from any to any port 21 keep state 
pass in on $ext_if inet proto tcp from any port ftp-data to ($ext_if) user proxy flags S/SA keep state 
pass in on $ext_if proto tcp from any to any port ftp flags S/SA synproxy state
```

Help me please.

Best Regards.


----------



## Orige (Jun 9, 2010)

I solved the problem..
The problem was me!


----------



## DutchDaemon (Jun 9, 2010)

Post your solution. This is not a helpdesk, it's a forum. We share knowledge.


----------



## Orige (Jun 9, 2010)

*Hold on*

Hold on . . I left the answer as to close the matter and then I ride a fair response.

There have was one problem.

First, the router that authenticates the Internet is completely open so I thought the problem is in my pf because everything is just open and just my server it has rules. I concentrated only on the firewall.
I was wrong.
I discovered that my router does not accept incoming connections by default to port 21, connections that were trying to pass him failed.

Ok

So I opened another door, 2121, and tried to make the connection.
All right now.

I did not need to use any kind of proxy (ftp-proxy) and anchors.

Sometimes I was testing the wrong way.

Why when I try to connect to FTP from my local network as if I'm out of it, the connection fails?

Thanks to everyone who tried to help me.


----------



## DutchDaemon (Jun 10, 2010)

Thank you.


----------

