关于pf的ftp-proxy的问题

bjhb

我的pf.conf中加了
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

加了这一句了8021端口也是起来的，
我现在内网能登入外部的ftp server ,但是验证完用户和密码后就没无继续了说"        建立数据 socket 失败",我用tcpdump看好像ftp-server会用一个随机口连接过来，

我只能在外网口上加上
pass in quick  on $ext_if proto tcp from any to $ext_if port 50000><65000  keep state

允许所以有外网的高端口连接，这样ftp 才正常

我在想这样会不会有很大的安全问题啊
请各位说说，大家用 pf的话ftp这块怎么设也是开放外部高端口进来吗

congli

ftp服务端使用的端口本来就是>49151的.
但你是出去,是ftp客户端,应该不需要开啊,反而内网口要放行.
这样可以不
pass out quick $ext_if proto tcp from any to any port >49151 flags S/SA keep state

bjhb

老大来了啊，
我是ftp客户端，
理论上是可以的
我试了
pass out quick on $ext_if proto tcp from any to any port >49151 flags S/SA keep state
pass out quick on $int_if proto tcp from any to any port >49151 flags S/SA keep state
我在pf的内外网卡上都做了还是不行，
其实我是有一条pass out quick on $ext_if proto tcp from any to any keep state的
呵呵，但是还是不行，
我tcpdump的结果是ftp server会用随机端口连接我的$ext_if，
怎么办。
呢、

congli

pass out quick on $ext_if proto tcp from any to any port >49151 flags S/SA keep state
pass in quick on $int_if proto tcp from any to any port >49151 flags S/SA keep state
方向反了.

bjhb

我哭啊，我改了来了，试了一下还是不行，
按理我是用ftp-proxy的话
pass in quick on $int_if proto tcp from any to any port >49151 flags S/SA keep state

应该是可以不要的因为内网的ftp全部用pf的那台的外网卡代理了，理论上应该是可以不加的
但是我试过了不管加上或是不加都一样上不了

congli

把rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
取消吧,现在都不需要ftp-proxy的,

正常情况,以下4条就可以:
pass out quick on $ext_if proto tcp from any to any port 21 flags S/SA keep state
pass out quick on $ext_if proto tcp from any to any port > 49151 flags S/SA keep state

pass in quick on $int_if proto tcp from any to any port > 49151 flags S/SA keep state
pass in quick on $int_if proto tcp from any to any port 21 flags S/SA keep state

bjhb

老大我又测了，我的规则是：
int_if="fxp2"
ext_if="fxp0"
#nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)

rdr on $int_if proto tcp from  any to any  port 80 -> 127.0.0.1 port 3188
#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

block all

pass out quick on $ext_if proto tcp from any to any port {21,20} flags S/SA keep state
pass out quick on $ext_if proto tcp from any to any port > 49151 flags S/SA keep state
pass in quick on $int_if proto tcp from any to any port > 49151 flags S/SA keep state
pass in quick on $int_if proto tcp from any to any port {21,20} flags S/SA keep state
我想实现的规则是先默认阻止，然后再开通允行的。但是这样ftp就用不了，我把上面的block all注掉ftp就可以了。但是这样会不会也有安全的问题啊，那没有在列表中列出的规则他是默认阻止还是允许啊。

congli

再加一句看看
pass in quick on $ext_if proto tcp from any to any port > 49151 flags S/SA keep state

bjhb

回复 8# congli


  老大终于搞定了，原来不用加这句的只要把原来这一句
“pass in quick on $int_if proto tcp from any to any port > 49151 flags S/SA keep state”
改为
“pass in quick on $int_if proto tcp from any to any port {2000><3500,49151><65535} flags S/SA keep state”  就可以了。
不知道 为什么他还要用到2000到3000之间的端口对外连接，我是用tcpdump发现的，加上这一段端口出去就好了。

congli

呵~原来如此!
tcpdump是个好工具!