[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD firewall (default deny) and FTP

This is where having PF understand layer 7 stuff would be great.

In reality you'd want PF to simply examine/reconstitute the tcp stream
of connections to port 21 and look for client->server
commands (carefully, recalling old FW1 bugs).  Then open a "one time"
(remove after first use) allow rule for that connection into the PF
state table.

This would pretty much remove all the problems with FTP & PF.

And with a few extra keywords you could filter out (XXX-style)
commands e.g. allow gets but not puts, or only permit anonymous ftp,
and do lots of funky stuff.

However this is taking steps down another road, where you tell PF about
a protocol, and what you want to allow. 
e.g. realaudio is tcp/X,udp/Y to the server, and udp/Y,udp/Z return.
DNS to-server(to:udp/53) reply(from:udp/53)
FTP to-server(to:tcp/21) reply(from:tcp/20)

Defining the protocols in terms of what to look for and what to put
in the state table is the tricky bit, and then defining suitably
flexible specification language (you don't want to hard-code this
for /etc/clever-pf.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom_(_at_)_devitto_(_dot_)_com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


-----Original Message-----
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org] On Behalf
Of Matteo Cavalleri
Sent: Monday, November 25, 2002 8:33 PM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: OpenBSD firewall (default deny) and FTP

> > passive: just let the clients open their connection and keep state.
> Actually, this is what I'm unsure on how to restrict.  What I mean is
> that the rule would allow clients to connect to any of the high ports 
> to any server, such as:

i'm sorry but i think i didn't understand your problem... do you want to
let programs inside the lan to open outbound connection to a server with
a destination port > 1024 only for ftp client?

maybe you can use rdr to make the ftp clients always use ftp-proxy (for
both active and passive transfer) and use the "pass out" command with
the "user" keyword, so that only the user ftp-proxy is using can open
connections to high ports.



  "Better true to yourself
Than a perfect shadow
       Of somebody else
     An empty shell"

(MrBig, My new religion)