Thread: pf and ftp proxy for lan ftp clients
View Single Post

   
  #9 (permalink)  
Old 02-16-2008, 06:45 AM
Shane Almeida
 
Posts: n/a
Default Re: pf and ftp proxy for lan ftp clients
On Sat, 11 Jun 2005 04:13:43 GMT, dave wrote:
> Hello,
> Thanks for everyone's help so far. I wish this would work, but i'm very
> impressed and greatful for all the support. My rules are coming from an
> OPenBSD tutorial site i found on:

You might want to try the official pf FAQ. I think the examples are a lot
easier to follow than that guide you are using.
http://www.openbsd.org/faq/pf/

[snip a lot of pf rules]

Try adding more "log" directives to your rules. Other than that, I can't
help much with your rules. I hate to say it, but I think maybe you should
start over unless someone else can spot the problem. The ruleset you are
using now is not really complex, but it's not trivial either. The order
of some of the rules seems odd to me as well (e.g. I don't like the block
rules mixed in with the pass rules). Maybe I'm just used to my style, but
I found it hard to follow your rules.

My suggestion is to make a really simple ruleset and, once that is
working, build up from there. Building from a very basic ruleset will
help you debug and will probably make maintenance a lot easier.

Try following the pf FAQ examples. The order of their rules seems much
more logical to me. I find it a whole lot easier to read their ruleset
than to try to figure out the one in the example you used. Here's the
basic idea:

1. Create a NAT rule for the internal clients.
2. Create redirection to ftp-proxy.
3. Block and log everything by default.
4. Pass everything on lo0 (there's a fancy way to do this in 3.7).
5. Silently block traffic that shouldn't exist. You can use the antispoof
rules and a table with RFC1918 addresses to do this easily.
6. Pass in traffic from the Internet to the services on the firewall and
keep state. At this point you can test connectivity from an external
host.
7. Pass in traffic from the LAN to the services on the firewall and keep
state. You can do the same testing from internal hosts now.
8. Pass appropriate traffic on the LAN. Now test intranet communication.
9. Pass out traffic from the firewall (and NAT'ed clients) to the
Internet. Test connections from the firewall and then from the NAT
clients. Test FTP from both.

Sorry I couldn't give you more help on your rules, but I just can't make
sense of them. Maybe I just need to look them over again in the morning.
Reply With Quote