[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
client FTP using NAT
I am having trouble allowing clients that are inside the PacketFilter
firewall to retrieve data from external FTP sites. Connection works fine but
a simple ls on the remote server returns a "Connection closed by remote
host." My pf.conf is below, any help would be appreciated.
Thanks in advance,
Keith
##########
# MACROS #
##########
# External (Internet) (5 externally addressable IPs)
# 17(gw)
# 18 NAT
# 19 company.com
# 20 UNUSED
# 21 UNUSED
# 22 OTHER
ext_if="xl1"
#ext_net="xxx.yyy.zzz.0/29"
ext_gw_addr="xxx.yyy.zzz.17"
ext_nat_addr="xxx.yyy.zzz.18"
ext_http_addr="xxx.yyy.zzz.19"
ext_ftp_addr="xxx.yyy.zzz.19"
ext_unused1_addr="xxx.yyy.zzz.20"
ext_unused2_addr="xxx.yyy.zzz.21"
ext_other_addr="xxx.yyy.zzz.22"
# Internal (Intranet)
int_if="xl0"
int_net="192.168.1.0/24"
# DMZ
dmz_if="vr0"
dmz_net="10.11.13.0/24"
dmz_http_addr="10.11.13.100"
dmz_ftp_addr="10.11.13.100"
dmz_perforce_addr="10.11.13.106"
dmz_cerebro_addr="10.11.13.103"
##########
# TABLES #
##########
table <priv_nets> const { 127/8, 10/8, 172.16/12, 192.168/16 }
table <firewall> const { xxx.yyy.zzz.18, xxx.yyy.zzz.19, xxx.yyy.zzz.20,
xxx.yyy.zzz.21}
###########
# OPTIONS #
###########
#################
# NORMALIZATION #
#################
scrub in all fragment reassemble
############
# QUEUEING #
############
###############
# TRANSLATION #
###############
# NAT workstations
nat on $ext_if from $int_net to any -> $ext_nat_addr
# NAT servers external requests
nat on $ext_if from $dmz_net to any -> $ext_nat_addr
###############
# REDIRECTION #
###############
# Outgoing FTP requests to the ftp-proxy
#
# NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT used
to handle an
# FTP SERVER behind a PF filter.
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# WWW server access
rdr on $ext_if proto tcp from any to $ext_if port http -> $dmz_http_addr
port http
# FTP server access (VSFTP on lab5 uses 30000-30999 if we change ftp servers
then modify)
rdr on $ext_if proto tcp from any to $ext_ftp_addr port 21 -> $dmz_ftp_addr
port 21
rdr on $ext_if proto tcp from any to $ext_ftp_addr port 30000:30999 ->
$dmz_ftp_addr port 30000:30999
#############
# FILTERING #
#############
block in log all
block out log all
pass quick on lo0 all
block in log quick on $ext_if from <priv_nets> to any
block out quick on $ext_if from any to <priv_nets>
antispoof quick for { $int_if, $dmz_if } inet
pass in on $ext_if proto tcp from any to $dmz_http_addr port http flags S/SA
synproxy state
# FTP Client active connections working with ftp-proxy
pass in on $ext_if inet proto tcp from port ftp-data to $ext_if user proxy
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
# Enables FTP active mode connections. See the redirection section for the
line that enables
# FTP passive.
#
# NOTE: ftp-proxy is to help FTP CLIENTS behind a PF filter; it is NOT used
to handle an
# FTP SERVER behind a PF filter.
#pass in on $ext_if inet proto tcp from port ftp-data to $ext_nat_addr user
proxy flags S/SA keep state
# FTP Server specific rules
pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port 21 keep
state
pass in quick on $ext_if proto tcp from any to $dmz_ftp_addr port > 29999
keep state
pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port 21 keep
state
pass out quick on $dmz_if proto tcp from any to $dmz_ftp_addr port > 29999
keep state
# Pass all traffic to and from the Internal Network
pass in on $int_if from $int_net to any keep state
#pass out on $int_if from any to $int_net keep state
# Pass all traffic to and from the DMZ Network
pass in on $dmz_if from $dmz_net to any keep state
pass out on $dmz_if from any to $dmz_net keep state
# Pass TCP, UDP, and ICMP out on the external (Internet) interface.
# keep state on udp and icmp and moduleate state on tcp
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
