[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: rdr to internal ftp
From:       Daniel Hartmeier <daniel () benzedrine ! cx>
Date:       2003-07-30 17:24:08
[Download RAW message or body]

On Mon, Jul 28, 2003 at 03:11:28AM -0500, Scircuit wrote:

> rdr on $ExtIF proto tcp from any to any port 7777 -> $FtpServer
> 
> pass in on $ExtIF inet proto tcp from any to $ExtIF port $tcp_allow \
>          flags S/SA modulate state

Translation occurs before filtering. The incoming connection will first
have its destination address replaced with $FtpServer by the redirection
rule. Then the filter rules are evaluated. Since you specify 'to
$ExtIF', the rule doesn't match (the destination address is no longer
$ExtIF, but $FtpServer).

> If I change the rule to not use variables, the rule is the following:
> 
> pass in on $ExtIF inet proto tcp from any to any port 7778 flags S/SA modulate state 

Here, you don't restrict the destination address at all, hence the rule
applies, and the control connection works.

> Is there an error in the rules that prevent me from listing directories on the ftp server?  

FTP is a tricky protocol, and you need to understand how it works to
solve this.

The FTP client opens the control connection to the FTP server (this is
probably the only connection you were aware of before). Through this
connection, the client sends commands (like LS /) and the server sends
status messages.

When you transfer a file or list a directory, that data is not sent over
the control connection. Instead, a separate data connection is
established between client and server, and the data is sent through that
connection. The control connection remains open, so you can issue other
commands, etc.

There's two ways to open the data connections:

  a) passive mode: the server choses a port where it listens on, and the
     client connects to the server

  b) active mode: the client choses a port where it listens on, and the
     server connects back to the client

In both cases, the port is usually chosen randomly, unless you configure
specific ports.

In your case, it should be obvious that passive mode will not work
without further hassle. The client would connect to your external
address, and that connection would never get forwarded to the server.

Active mode, however, should work. Though if the client is behind its
own NAT gateway, it can't do active mode, for the same reason (your
connection back would not reach it).

If you want to make passive mode work, you can

  a) Configure the FTP server to use a specific range of ports for the
     data connections, and forward those with an addition rdr.
     Since the server tells the client not just what port to connect
     to, but also what IP address, you'll also have to make sure the
     FTP server pretends to have the external address. Several FTP
     daemons have such options.

  b) Use a proxy on the gateway that intercepts the control connections,
     modifies the replies containing IP addresses and ports so that the
     client will connect to the proxy on the gateway, and then proxies
     those connections to the FTP server.
     ftp-proxy(8) with the 'reverse proxy patch' (search the mailing
     list archive) can do that.

Daniel
[prev in list] [next in list] [prev in thread] [next in thread]