- Previous thread: 4.7: huge partition at install time
- Next thread: Pravo je vreme da se pobrinete za svoj izgled
- Threads sorted by date: openbsd-misc 201003
my -current firewall is configured to block all in, block all out
and allow only certain outbound connections.
Now I want to allow outbound ftp connections.
I read ftp-proxy(8) and
http://openbsd.org/faq/pf/ftp.html#client.
As I understand it, ftp-proxy could be used to create rules for
inbound and outbound connections on 4.6. Now on -current the rdr
keyword is missing from the pf.conf syntax. Instead ftp-proxy(8)
suggests using rdr-to, but this only works for inbound
connections.
Is it possible to allow ftp connections from a local client to
public ftp serves on the internet? Possibly by using ftp-proxy?
Kind regards,
Christopher
Use 4.6, read this: http://www.openbsd.org/faq/current.html#20090901 or
wait until 4.7 and read the new man page.
Cheers,
noah
wait until 4.7 and read the new man page.
Cheers,
noah
On 2010-03-11, Christopher Zimmermann
I suspect your understanding of "inbound" is from the viewpoint
of your network; PF doesn't care about that at all, it's only
concerned with whether a packet is inbound or outbound to a
particular interface.
rdr only works for inbound connections too.
A rule like the following works just fine for a ftp connection
from a local client to a public ftp server:
pass in quick log on {lan, wifi, natted} inet proto tcp
to port 21 rdr-to 127.0.0.1
of your network; PF doesn't care about that at all, it's only
concerned with whether a packet is inbound or outbound to a
particular interface.
rdr only works for inbound connections too.
A rule like the following works just fine for a ftp connection
from a local client to a public ftp server:
pass in quick log on {lan, wifi, natted} inet proto tcp
to port 21 rdr-to 127.0.0.1
On 12 March 2010 c. 03:23:00 Stuart Henderson wrote:
Well, if "block out all" is set on external interface then ftp-proxy
outgoing connections will be blocked - ftp-proxy(8) does not create PF
rules for connections itself. Something like
pass out on $ext-if from ($ext-if) to port ftp
will workaround this, but I think ftp-proxy(8) should be fixed instead...
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
Well, if "block out all" is set on external interface then ftp-proxy
outgoing connections will be blocked - ftp-proxy(8) does not create PF
rules for connections itself. Something like
pass out on $ext-if from ($ext-if) to port ftp
will workaround this, but I think ftp-proxy(8) should be fixed instead...
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
On Fri, 12 Mar 2010 00:23:00 +0000 (UTC) Stuart Henderson wrote:
ok, thanks. Thats clear. I don't have a whole net. Its just a
single workstation, using pppoe0 to reach the internet. So the
ftp client is running on the firewall, not behind it. The packets
will be outbound on my pppoe0, but not inbound any any interface,
will they?
As I unterstood it, it works -only- for inbound connections.
Isn't this just the example from the default pf.conf with
"on {...}" added and port 8021 left away?
After reading http://www.openbsd.org/faq/current.html#20090901
it seems to me that it is in fact not possible at the moment to
use a ftp-client on a firewall until the current restrictio on
rdr-to in pfctl will be removed. Is this true?
Chrisotpher
ok, thanks. Thats clear. I don't have a whole net. Its just a
single workstation, using pppoe0 to reach the internet. So the
ftp client is running on the firewall, not behind it. The packets
will be outbound on my pppoe0, but not inbound any any interface,
will they?
As I unterstood it, it works -only- for inbound connections.
Isn't this just the example from the default pf.conf with
"on {...}" added and port 8021 left away?
After reading http://www.openbsd.org/faq/current.html#20090901
it seems to me that it is in fact not possible at the moment to
use a ftp-client on a firewall until the current restrictio on
rdr-to in pfctl will be removed. Is this true?
Chrisotpher
On 2010/03/12 10:14, Vadim Zhukov wrote:
True, I was just considering the differences from 4.6.
hmm, that used to be there... what do you think, does this make sense?
Index: ftp-proxy.8
===================================================================
RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v
retrieving revision 1.14
diff -u -p -r1.14 ftp-proxy.8
True, I was just considering the differences from 4.6.
hmm, that used to be there... what do you think, does this make sense?
Index: ftp-proxy.8
===================================================================
RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v
retrieving revision 1.14
diff -u -p -r1.14 ftp-proxy.8
On 12 March 2010 c. 10:42:57 Stuart Henderson wrote:
FTP server is not on egress? (yes, my workaround proposal was bad at
that too)? Dropping "on egress" will be stupid because this will
definitely allow more connections than intended.
Basic algorithm for fix as I see it:
s = socket();
bind(s);
getsockname(s, sa);
add-peer-rule(sa, dest);
connect(dest);
I'll come up with a diff in a few hours, when become online again.
What do you think?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
FTP server is not on egress? (yes, my workaround proposal was bad at
that too)? Dropping "on egress" will be stupid because this will
definitely allow more connections than intended.
Basic algorithm for fix as I see it:
s = socket();
bind(s);
getsockname(s, sa);
add-peer-rule(sa, dest);
connect(dest);
I'll come up with a diff in a few hours, when become online again.
What do you think?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
On 2010-03-12, Vadim Zhukov
Hmm. I think it's more flexible to have an explicit rule, then people
can choose interfaces, add rule options, etc, as they wish. For example
ftp-proxy has no way to tell which interface you might want to permit.
can choose interfaces, add rule options, etc, as they wish. For example
ftp-proxy has no way to tell which interface you might want to permit.
On 2010-03-12, Christopher Zimmermann
yes, that's what I said; there's no change though:
in 4.6, rdr only works for inbound connections
in -current rdr-to only works for inbound connections
ftp-proxy never was applicable to this sort of situation..
you'll need add rules to allow the connections through if you want
to do this.
in 4.6, rdr only works for inbound connections
in -current rdr-to only works for inbound connections
ftp-proxy never was applicable to this sort of situation..
you'll need add rules to allow the connections through if you want
to do this.
B
Stuart Henderson
ok. That was my question. Thanks!
So essentially I have to allow inbound connections to the range between
net.inet.ip.porthifirst
net.inet.ip.porthilast
for active ftp and allowing outbound connections from ports passive ftp?
Stuart Henderson
So essentially I have to allow inbound connections to the range between
net.inet.ip.porthifirst
net.inet.ip.porthilast
for active ftp and allowing outbound connections from ports passive ftp?
On 2010-03-12, madroach@zakweb.de
yep. you can also restrict by userid if you like.
On 12 March 2010 c. 13:22:41 Stuart Henderson wrote:
It has: you can use either -T flag and then "tagged" in pf.conf, or just
anchor options.
We cannot tell (directly) which interface you might want to permit
directly when creating rules for file transfer either.
So here is a patch proposal.
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
Index: ftp-proxy.c
===================================================================
RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.c,v
retrieving revision 1.20
diff -u -p -r1.20 ftp-proxy.c
#define sstosa(ss) ((struct sockaddr *)(ss))
+#define sstosin(ss) ((struct sockaddr-in *)(ss))
+#define sstosin6(ss) ((struct sockaddr-in6 *)(ss))
enum { CMD-NONE = 0, CMD-PORT, CMD-EPRT, CMD-PASV, CMD-EPSV };
@@ -448,9 +450,9 @@ handle-connection(const int listen-fd, s
strerror(errno));
goto fail;
}
- if (fixed-proxy && bind(s-+ if (bind(s- fixed-proxy-ss.ss-len) != 0) {
- logmsg(LOG-CRIT, "#%d cannot bind fixed proxy address: %s",
+ logmsg(LOG-CRIT, "#%d cannot bind (fixed) proxy address: %s",
s- goto fail;
}
@@ -586,6 +588,8 @@ main(int argc, char *argv[])
{
struct rlimit rlp;
struct addrinfo hints, *res;
+ struct sockaddr-in6 *sin6;
+ struct sockaddr-in *sin;
struct event ev, ev-sighup, ev-sigint, ev-sigterm;
int ch, error, listenfd, on;
const char *errstr;
@@ -701,6 +705,21 @@ main(int argc, char *argv[])
logmsg(LOG-INFO, "using %s to connect to servers",
sock-ntop(sstosa(&fixed-proxy-ss)));
freeaddrinfo(res);
+ } else {
+ memset(&fixed-proxy-ss, 0, sizeof(struct sockaddr-storage));
+ if (ipv6-mode) {
+ sin6 = sstosin6(&fixed-proxy-ss);
+ sin6-+ sin6-+ if (inet-pton(AF-INET6, "::", &sin6-+ errx(1, "inet-pton unspecified address "
+ "failed: %s", strerror(errno));
+ } else {
+ sin = sstosin(&fixed-proxy-ss);
+ sin-+ sin-+ sin-+ }
}
if (fixed-server) {
It has: you can use either -T flag and then "tagged" in pf.conf, or just
anchor options.
We cannot tell (directly) which interface you might want to permit
directly when creating rules for file transfer either.
So here is a patch proposal.
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
Index: ftp-proxy.c
===================================================================
RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.c,v
retrieving revision 1.20
diff -u -p -r1.20 ftp-proxy.c
#define sstosa(ss) ((struct sockaddr *)(ss))
+#define sstosin(ss) ((struct sockaddr-in *)(ss))
+#define sstosin6(ss) ((struct sockaddr-in6 *)(ss))
enum { CMD-NONE = 0, CMD-PORT, CMD-EPRT, CMD-PASV, CMD-EPSV };
@@ -448,9 +450,9 @@ handle-connection(const int listen-fd, s
strerror(errno));
goto fail;
}
- if (fixed-proxy && bind(s-+ if (bind(s- fixed-proxy-ss.ss-len) != 0) {
- logmsg(LOG-CRIT, "#%d cannot bind fixed proxy address: %s",
+ logmsg(LOG-CRIT, "#%d cannot bind (fixed) proxy address: %s",
s- goto fail;
}
@@ -586,6 +588,8 @@ main(int argc, char *argv[])
{
struct rlimit rlp;
struct addrinfo hints, *res;
+ struct sockaddr-in6 *sin6;
+ struct sockaddr-in *sin;
struct event ev, ev-sighup, ev-sigint, ev-sigterm;
int ch, error, listenfd, on;
const char *errstr;
@@ -701,6 +705,21 @@ main(int argc, char *argv[])
logmsg(LOG-INFO, "using %s to connect to servers",
sock-ntop(sstosa(&fixed-proxy-ss)));
freeaddrinfo(res);
+ } else {
+ memset(&fixed-proxy-ss, 0, sizeof(struct sockaddr-storage));
+ if (ipv6-mode) {
+ sin6 = sstosin6(&fixed-proxy-ss);
+ sin6-+ sin6-+ if (inet-pton(AF-INET6, "::", &sin6-+ errx(1, "inet-pton unspecified address "
+ "failed: %s", strerror(errno));
+ } else {
+ sin = sstosin(&fixed-proxy-ss);
+ sin-+ sin-+ sin-+ }
}
if (fixed-server) {
Related Threads
- /usr directory: a system or user place? - openbsd-misc
- buildfarm building all live branches from git - postgresql-hackers
- Outage: PHX2 outage - 2010-05-04 22:13 UTC - fedora-devel
- addition of an XPT_SCAN_TGT code - freebsd-scsi
- PerlModule lifetime / threads - perl-modperl
- platform-dev - jump-list-prev/jump-list-next icon missing - netbeans-platform-dev
- iptables connlimit not works in RHEL 5.1 - linux-netfilter-devel
- Ping and client session timeouts - hadoop-zookeeper-user
- High MySQL sleep count - mysql-general
- PATCH 1/3 - splice: check f_mode for seekable file - linux-fsdevel
- asterisk-users - Help with IP Routing - asterisk-users
- x264-devel - commit: Slightly faster mbtree asm (Jason Garrett-Glaser ) - x264-devel