SEO

Hello,
I've got OpenBSD 4.2 set up as a firewall/gateway. I'm using pf and
ftp-proxy. All of that is working fine from behind the lan, clients can get
to ftp sites and retrieve files. My issue is the gateway box itself can not.
I try to set the PKG_PATH environment variable so i can download packages
but i keep getting timeouts. From the tcpdump output i'm seeing pf is
blocking connections back to the gateway box's port 20 and blocking outgoing
connections. I can connect to the ftp sites just fine from behind the
gateway from lan boxes, and can connect fine from the gateway, but when i go
to do anything like an ls, or a cd or a get, i get disconnected.
Any ideas what to check?
Thanks.
Dave.

Dave <dmehler26@woh.rr.com> wrote:
> I've got OpenBSD 4.2 set up as a firewall/gateway. I'm using pf and
> ftp-proxy. All of that is working fine from behind the lan, clients can
> get to ftp sites and retrieve files. My issue is the gateway box itself
> can not. I try to set the PKG_PATH environment variable so i can
> download packages but i keep getting timeouts. From the tcpdump output
> i'm seeing pf is blocking connections back to the gateway box's port 20
> and blocking outgoing connections. I can connect to the ftp sites just
> fine from behind the gateway from lan boxes, and can connect fine from
> the gateway, but when i go to do anything like an ls, or a cd or a get,
> i get disconnected. Any ideas what to check?

pf.conf would be *very* helpful.

--
No Swen today, my love has gone away
My mailbox stands for lorn, a symbol of the dawn

Hello,
I've included the pf.conf file below.
Dave.

# pf.conf
# for use on gateway box

# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last
match.

# define the two network interfaces
ext_if = "xl0"
int_if = "dc0"
tcp_state="flags S/SA keep state"
int_net = $int_if:network
ipphone1="192.168.0.5"
sip="5060:5081"
sip2="19034"
sip3="16398"
sip4="64339"
sip5="1024:65535"

# define some address macros
lan_server = "192.168.0.3"
vpn_server = "192.168.0.4"
# define services
int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1723, 8000 }"
lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, 81,
pop3, nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795,
2401, 4000, 4661, 4662, 4711, 4821,
5000, 6969, 11371, 2200, 5001, 5190, 5999, 6112, 6667, 8000, 8021, 8080,
8505, 8880, 9102, 8026, 26881, 5050, 8443 }"
lan_to_fw_services = "{ ssh }"
fw_to_lan_services = "{ ssh, 9101, 9102, 9103 }"
nameservers = "{ 65.24.7.3, 127.0.0.1, 68.166.89.140, 69.46.17.123 }"
isp_dhcp_server = "10.40.224.1"
InICMP = "{ 3,8,11 }"
OutTracerouteUDP="{ 33434 >< 33525 }"

# options
set optimization normal
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0

# normalize packets to prevent fragmentation attacks
scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# One translation line per IP phone. static-port is necessary to make pf
retain the UDP
# ephemeral port, so that the remote SIP proxy knows what session we belong
to
nat on $ext_if inet proto udp from $ipphone1 to any -> ($ext_if) static-port
# translate lan client addresses to that of the external interface
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if inet proto tcp from any to any port $int_to_lan_services ->
$lan_server
rdr on $ext_if inet proto tcp from any to any port $sip4 -> $ipphone1
rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn_server port
1194
rdr on $int_if inet proto tcp from $int_net to any port www -> 192.168.0.254
port 3128

anchor "ftp-proxy/*"

# block by default
block log all

# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all

# allow WAN requests from the internet to enter EXT
# in order to contact our web server (keep state on this connection)
pass in on $ext_if inet proto tcp from any to $lan_server port
$int_to_lan_services $tcp_state
# UDP 1194 for openvpn
pass in on $ext_if inet proto udp from any to $vpn_server port 1194 keep
state

# Allow dhcp in
pass in quick on $ext_if inet proto udp from any port bootps to
255.255.255.255 port bootpc keep state

# [traceroute to internal host 2nd stage: receiving error code of icmp-type
3
# (destination unreachable) and icmp-type 11 (time exceeded)]
pass in quick on $ext_if inet proto icmp from any to any icmp-type $InICMP
keep state

# allow UDP requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
pass out quick on $ext_if inet proto { tcp,udp } from $ext_if to any port 53
$tcp_state

# allow UDP requests to port 123 from firewall to exit ext_if_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass out quick on $ext_if inet proto { tcp,udp } from $ext_if to any port
123 $tcp_state

# Allow UDP requests to port 67 from firewall to exit ext_if
# in order to contact internet dhcp servers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port bootps
keep state

# allow lan requests from lan clients to exit EXT
# (after natting is performed) in order to contact internet servers
# (keep state on this connection)
pass out quick on $ext_if inet proto tcp from $ext_if to any port
$lan_to_int_services $tcp_state

# [traceroute to outside world 1st stage: probing...man traceroute(8)]
pass out quick on $ext_if inet proto udp from any to any port
$OutTracerouteUDP keep state

# allow ICMP requests from firewall to exit EXT (after natting is performed)
# in order to ping/traceroute internet hosts on the behalf of lan clients
pass out quick on $ext_if inet proto icmp from $ext_if to any icmp-type 8
code 0 keep state

# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this
connection)
pass in quick on $int_if inet proto { tcp,udp } from $int_net to $int_if
port 53 $tcp_state

# allow UDP requests to ports 67, 68, and 123 from int_if clients to enter
int_if
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass in quick on $int_if inet proto { tcp,udp } from $int_net to $int_if
port { 67, 68, 123 } $tcp_state

# allow LAN requests from lan clients to enter LAN
# in order to contact internet servers (keep state on this connection)
pass in quick on $int_if inet proto tcp from $int_net to any port
$lan_to_int_services $tcp_state

# lan admin connects to firewall via ssh for administrative purposes
pass in quick on $int_if inet proto tcp from $int_net to $int_if port
$lan_to_fw_services $tcp_state

# allow requests from lan admin to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet
hosts)
pass in quick on $int_if inet proto icmp from $int_net to any icmp-type 8
code 0 keep state

# allow squid connections from lan to proxy
pass in quick on $int_if inet proto tcp from any to 192.168.0.254 port 3128
$tcp_state

# allow WAN requests from the internet to exit LAN
# in order to contact our lan server (keep state on this connection)
pass out quick on $int_if inet proto tcp from any to $lan_server port
$int_to_lan_services $tcp_state
# UDP 1194
pass out quick on $int_if inet proto udp from any to $vpn_server port 1194
keep state

# firewall connects to the lan server via scp/ssh for backup purposes
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port
$fw_to_lan_services $tcp_state

# sip for viatalk
pass in quick on $int_if inet proto udp from $ipphone1 port $sip to any keep
state
pass in quick on $int_if inet proto udp from $ipphone1 port $sip2 to any
keep state
pass in quick on $int_if inet proto udp from $ipphone1 port $sip3 to any
keep state
pass out quick on $ext_if inet proto udp from any port $sip to any keep
state
pass out quick on $ext_if inet proto udp from any port $sip2 to any keep
state
pass out quick on $ext_if inet proto udp from any port $sip3 to any keep
state

pass in quick on $int_if inet proto tcp from $ipphone1 port $sip to any
$tcp_state
pass in quick on $int_if inet proto tcp from $ipphone1 port $sip to any
$tcp_state
pass out quick on $ext_if inet proto tcp from any port $sip to any
$tcp_state

# sip protocols from the internet
pass in quick on $ext_if inet proto tcp from any to any port $sip4
$tcp_state
pass out quick on $int_if inet proto tcp from $int_if to $ipphone1 port
$sip4 $tcp_state

# these are for rtp audio reception
pass in quick on $int_if inet proto udp from $ipphone1 port $sip5 to any
keep state
pass out quick on $ext_if inet proto udp from any port $sip5 to any keep
state

"Helmut Schneider" <jumper99@gmx.de> wrote in message
news:5rilhbF14vdl9U1@mid.individual.net...
> Dave <dmehler26@woh.rr.com> wrote:
>> I've got OpenBSD 4.2 set up as a firewall/gateway. I'm using pf and
>> ftp-proxy. All of that is working fine from behind the lan, clients can
>> get to ftp sites and retrieve files. My issue is the gateway box itself
>> can not. I try to set the PKG_PATH environment variable so i can
>> download packages but i keep getting timeouts. From the tcpdump output
>> i'm seeing pf is blocking connections back to the gateway box's port 20
>> and blocking outgoing connections. I can connect to the ftp sites just
>> fine from behind the gateway from lan boxes, and can connect fine from
>> the gateway, but when i go to do anything like an ls, or a cd or a get,
>> i get disconnected. Any ideas what to check?
>
> pf.conf would be *very* helpful.
>
> --
> No Swen today, my love has gone away
> My mailbox stands for lorn, a symbol of the dawn

Dave <dmehler26@woh.rr.com> wrote:

>> pf.conf would be *very* helpful.
>
> I've included the pf.conf file below.

OK, the *relevant* part would have been enogh.

> pass out quick on $ext_if inet proto tcp from $ext_if to any port
> $lan_to_int_services $tcp_state

Anyway, I can't find any rules for lo0. Also, if you are using OpenBSD >=4.2
"flags S/SA keep state" is default.

--
No Swen today, my love has gone away
My mailbox stands for lorn, a symbol of the dawn

Hi Dave,

I had the same problem. My solution:

no rdr on $int_if proto tcp to $int_ip port ftp
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

The second line is the one from
http://openbsd.org/faq/pf/example1.html#allrules

The first lines says "do not redirect to the ftp-proxy if the
destination IP is the LAN-IP of the gateway machine".

Regards
DR

Hello,
Thanks. I have a skip for lo0 so nothing will touch it. Thanks for the
tip on flags.
Dave.

"Helmut Schneider" <jumper99@gmx.de> wrote in message
news:5sn09jF1a700fU1@mid.individual.net...
> Dave <dmehler26@woh.rr.com> wrote:
>
>>> pf.conf would be *very* helpful.
>>
>> I've included the pf.conf file below.
>
> OK, the *relevant* part would have been enogh.
>
>> pass out quick on $ext_if inet proto tcp from $ext_if to any port
>> $lan_to_int_services $tcp_state
>
> Anyway, I can't find any rules for lo0. Also, if you are using OpenBSD
> >=4.2 "flags S/SA keep state" is default.
>
> --
> No Swen today, my love has gone away
> My mailbox stands for lorn, a symbol of the dawn