# ftp/fetch to world behind Router NAT as well as PF



## zeissoctopus (Oct 25, 2009)

Hello all, may you give me any advices to my PF settings according to FTP client behind PF.

*Just one simple aim*

My freebsd base and jails can ftp/fetch smoothly behind PF during installing ports.
It do not provide any ftpd service.

*Networking enviroment*

1. 7.2R-p4 FreeBSD is behind router's NAT
2. FreeBSD have one NIC only
3. FreeBSD have three service jails for web, pgsql, sendmail
4. I put FreeBSD base and all jails behind base's PF by ip base rules on the NIC
5. Outside world connect to my web, sendmail by router's port forwarding feature.

Hence, my base ,serivce jails are behind PF and router' NAT

*Disable PF it can ftp, but fail after enable PF*

This prove me that networking is ok. The problem is PF configuration.

*I want to use ftp-proxy but never success*

OpenBSD PF FAQ, Issues with FTP, section FTP Client behind the firewall
http://www.openbsd.org/faq/pf/ftp.html

I follow this instrustion but never success. I guess it is casued by my
networking environment, only One NIC and the FreeBSD is behind router's NAT.
The sample config code from this FAQ is not suitable to my scenario.

*Using rdr + filter rule, I can ftp with PF*

Now, I redirect ftp port from FreeBSD base / jails to router ip directly.
Adding outcoming filter to permit ftp ports out from target
Adding incoming filter to accept remote ftp come to target

PF code according to FTP

```
my_if="em0"
my_router="192.168.1.1"
base_ip="192.168.1.7"
jail_httpd="192.168.1.50"

rdr pass on $my_if inet proto { tcp udp } from $base_ip to \
                   any port ftp -> $my_router port 55021
rdr pass on $my_if inet proto { tcp udp } from $base_ip to \
                   any port ftp-data -> $my_router port 55020

rdr pass on $my_if inet proto { tcp udp } from $jail_httpd to \
                   any port ftp -> $my_router port 55031
rdr pass on $my_if inet proto { tcp udp } from $jail_httpd to \
                   any port ftp-data -> $my_router port 55030
                   
pass out quick on $my_if inet proto tcp from \
                  { $my_ip, $jail_httpd } to any port { ftp, ftp-data }

pass in quick on $my_if inet proto tcp from any to \
                 { $my_ip, $jail_httpd, $jail_pgsql, $jail_mail } \
                 port >49152
```
With above list, rdr rules and filter rules, I can passive ftp from base
or from jails which are behind PF as well as router' NAT

*Some questions*

1. question about ftp-proxy

*Can ftp-proxy solve my ftp problem too ?*

2. question about ip.port.range

My FreeBSD 7.2R-p4 amd64 portrange values

```
net.inet.ip.portrange.randomtime: 45
   net.inet.ip.portrange.randomcps: 10
   net.inet.ip.portrange.randomized: 1
   net.inet.ip.portrange.reservedlow: 0
   net.inet.ip.portrange.reservedhigh: 1023
   net.inet.ip.portrange.hilast: 65535
   net.inet.ip.portrange.hifirst: 49152
   net.inet.ip.portrange.last: 65535
   net.inet.ip.portrange.first: 49152
   net.inet.ip.portrange.lowlast: 600
   net.inet.ip.portrange.lowfirst: 1023
```
*Is it safe to rdr / pass in 49152:65535 port range ?*


----------



## SIFE (Oct 26, 2009)

```
tcp_services ="{http ,21 ,https}"
block in log all
pass out log inet proto tcp from any to any port 21
pass out log inet proto tcp from any to any port > 1023
pass out proto tcp to any port $tcp_services
```
this may help you .


----------



## zeissoctopus (Nov 11, 2009)

*solved*

Finally, I replace my router with a Soekris embedded x86 board.

I install OpenBSD and configure PF in soekris.

FreeBSD PC with 1 NIC works for httpd, sendmail servers in jails. I disable PF in this FreeBSD.

Every PC, Notebook, FreeBSD jails behind new Soekris PF firewall work fine. I just follow PF handbook and it works.


----------

