Hi,
I have question regarding FTP.
First at all, let me tell you my configuration:
PCLANa1-----a2[proxyBSD]b1-------b2[firewallBSD]c1-----(internet)
a1=192.168.0.3
a2=192.168.0.251
b1=10.4.1.3
b2=10.4.1.2
c1=PublicIPaddress
What i want is let the PCLAN to gain ftp access to a remote ftp server
These are my pf.conf rules:
In the [proxyBSD]
# Macros
ext_if="fxp0"
int_if="rl0"
NsV="{ a.b.c.d, a.b.c.e}"
Lan="192.168.0/24"
set skip on lo
scrub in all
scrub out all
block in all
block out all
block in quick inet6 all
antispoof quick for { lo $int_if }
pass in on $int_if proto tcp from <proxusers> to $int_if port 3128 keep state
pass out on $ext_if proto tcp from ($ext_if) to any port {21,80,443,8880, 2082} keep state
pass in on $int_if inet proto tcp from any to any port 21 keep state
pass out on $ext_if inet proto tcp from any to any port 21 keep state
pass in on $ext_if inet proto tcp from any to any port >1024 keep state
In the [firewallBSD]
ext_if="xl0"
int_if="fxp0"
ext_ip="a.b.c.d"
Proxy="10.4.1.3"
Lan="192.168.0.0/24"
Lh="127.0.0.1"
#Don't Filter on the loopback interface
set block-policy drop
set skip on lo
scrub in all
scrub out on $ext_if all random-id
nat on $ext_if from !($ext_if) -> $ext_ip
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
block in on { rl0, fxp0, xl0 } all
block out on { rl0, fxp0, xl0 } all
block in quick inet6 all
pass out keep state
anchor "ftp-proxy/*"
pass out on $ext_if inet proto tcp from ($ext_if) to any port 21 keep state
pass in on $int_if inet proto tcp from any to any port 21 keep state
pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state
antispoof quick for { lo $int_if $dmz_if}
#Conexiones a HTTP, HTTPS
pass in on $int_if proto tcp from $Proxy to any port {21,80,443} keep state
pass out on $ext_if proto tcp from $Proxy to any port {21,80,443}keep state
NOTES:
I can not do ftp from the [proxyBSD] neither from PCLAN
If i use pass in and pass out on both machines from PCLAN to any, i can do ftp, but i dont want to give the user all that resources ...
Any ideas ?
Thanks
Jorge Valbuena
I have question regarding FTP.
First at all, let me tell you my configuration:
PCLANa1-----a2[proxyBSD]b1-------b2[firewallBSD]c1-----(internet)
a1=192.168.0.3
a2=192.168.0.251
b1=10.4.1.3
b2=10.4.1.2
c1=PublicIPaddress
What i want is let the PCLAN to gain ftp access to a remote ftp server
These are my pf.conf rules:
In the [proxyBSD]
# Macros
ext_if="fxp0"
int_if="rl0"
NsV="{ a.b.c.d, a.b.c.e}"
Lan="192.168.0/24"
set skip on lo
scrub in all
scrub out all
block in all
block out all
block in quick inet6 all
antispoof quick for { lo $int_if }
pass in on $int_if proto tcp from <proxusers> to $int_if port 3128 keep state
pass out on $ext_if proto tcp from ($ext_if) to any port {21,80,443,8880, 2082} keep state
pass in on $int_if inet proto tcp from any to any port 21 keep state
pass out on $ext_if inet proto tcp from any to any port 21 keep state
pass in on $ext_if inet proto tcp from any to any port >1024 keep state
In the [firewallBSD]
ext_if="xl0"
int_if="fxp0"
ext_ip="a.b.c.d"
Proxy="10.4.1.3"
Lan="192.168.0.0/24"
Lh="127.0.0.1"
#Don't Filter on the loopback interface
set block-policy drop
set skip on lo
scrub in all
scrub out on $ext_if all random-id
nat on $ext_if from !($ext_if) -> $ext_ip
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
block in on { rl0, fxp0, xl0 } all
block out on { rl0, fxp0, xl0 } all
block in quick inet6 all
pass out keep state
anchor "ftp-proxy/*"
pass out on $ext_if inet proto tcp from ($ext_if) to any port 21 keep state
pass in on $int_if inet proto tcp from any to any port 21 keep state
pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state
antispoof quick for { lo $int_if $dmz_if}
#Conexiones a HTTP, HTTPS
pass in on $int_if proto tcp from $Proxy to any port {21,80,443} keep state
pass out on $ext_if proto tcp from $Proxy to any port {21,80,443}keep state
NOTES:
I can not do ftp from the [proxyBSD] neither from PCLAN
If i use pass in and pass out on both machines from PCLAN to any, i can do ftp, but i dont want to give the user all that resources ...
Any ideas ?
Thanks
Jorge Valbuena
