Stuck with FTP rules

Mon, 03 Apr 2006 11:13:41 -0700 

Hi all

I try to write FTP rules with ftp-proxy.
However after try for serveral hours..
It isn't work..

I 'm using OpenBSD 3.8 ..

My rule set is


#################################################
# DEFINE INTERFACE
#################################################
## NET
net_if = "em0"
net_if_addr = "192.168.204.9/32"
## INHOUSE
inh_if = "em1"
inh_if_addr = "192.168.1.2/32"
inh_addr = "192.168.1.0/24"
## STAGING
stg_if = "em2"
stg_if_addr = "192.168.202.55/32"
stg_addr = "192.168.202.0/24"

set block-policy drop
set limit frags 30000

## TRAFFIC NORMALIZATION
scrub in on $net_if all no-df

#################################################
# DEFINE NAT
#################################################
nat_proto = "{tcp, udp, icmp}"
nat on $net_if inet proto $nat_proto \
        from $stg_addr to any -> $net_if_addr

rdr on $inh_if proto tcp from any to any port ftp -> 127.0.0.1 \
        port 8021

block drop log all label "Block"

pass in quick on $stg_if proto tcp \
        from $stg_addr to $stg_if_addr port 22 keep state label "SSH"

pass quick proto tcp \
        from $inh_addr to $stg_addr port 80 keep state label "Http"

pass quick proto tcp \
        from $inh_addr to any port 8021 keep state label "FTP Proxy"

pass in on $inh_if proto tcp from port ftp \
        user proxy flags S/SA keep state

pass in inet proto icmp icmp-type 8 code 0 keep state
pass out inet proto icmp icmp-type 8 code 0 keep state

################################################################

My log is..

Apr 03 23:24:47.964222 rule 0/(match) block out on em2:
192.168.202.55.61491 > 192.168.202.71.21: S 4109396834:4109396834(0)
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
Apr 03 23:24:57.542489 rule 0/(match) block out on em2:
192.168.202.55.56702 > 192.168.202.71.21: S 2405197263:2405197263(0)
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
Apr 04 01:00:35.616140 rule 0/(match) block in on em1:
192.168.1.81.137 > 192.168.202.71.137:  udp 50
Apr 04 01:00:37.115951 rule 0/(match) block in on em1:
192.168.1.81.137 > 192.168.202.71.137:  udp 50
Apr 04 01:00:38.616761 rule 0/(match) block in on em1:
192.168.1.81.137 > 192.168.202.71.137:  udp 50
Apr 04 01:02:58.191272 rule 0/(match) block out on em2:
192.168.202.55.62315 > 192.168.202.71.21: S 2975683799:2975683799(0)
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
Apr 04 01:04:43.919518 rule 0/(match) block out on em2:
192.168.202.55.60969 > 192.168.202.71.21: S 3206894878:3206894878(0)
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
Apr 04 01:04:58.145897 rule 0/(match) block out on em2:
192.168.202.55.50733 > 192.168.202.71.21: S 2181266723:2181266723(0)
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
Apr 04 01:06:51.205698 rule 0/(match) block out on em2:
192.168.202.55.53290 > 192.168.202.71.21: S 2508985249:2508985249(0)
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
Apr 04 01:06:56.622325 rule 0/(match) block out on em2:
192.168.202.55.63802 > 192.168.202.71.21: S 3214160094:3214160094(0)
win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
Apr 04 01:07:51.754100 rule 0/(match) block in on em2:
192.168.202.71.21 > 192.168.202.55.55115: S 2862061812:2862061812(0)
ack 3274064643 win 17520 <mss 1460,nop,wscale
0,nop,nop,timestamp[|tcp]> (DF)
Apr 04 01:07:54.781216 rule 0/(match) block in on em2:
192.168.202.71.21 > 192.168.202.55.55115: S 2862061812:2862061812(0)
ack 3274064643 win 17520 <mss 1460,nop,wscale
0,nop,nop,timestamp[|tcp]> (DF)
Apr 04 01:07:57.750219 rule 0/(match) block in on em2:
192.168.202.71.21 > 192.168.202.55.55115: . ack 1 win 17520
<nop,nop,timestamp 111421631 3893958571> (DF)
Apr 04 01:08:00.796686 rule 0/(match) block in on em2:
192.168.202.71.21 > 192.168.202.55.55115: S 2862061812:2862061812(0)
ack 3274064643 win 17520 <mss 1460,nop,wscale
0,nop,nop,timestamp[|tcp]> (DF)
Apr 04 01:08:09.750208 rule 0/(match) block in on em2:
192.168.202.71.21 > 192.168.202.55.55115: . ack 1 win 17520
<nop,nop,timestamp 111421750 3893958595> (DF)
Apr 04 01:09:04.201350 rule 0/(match) block in on em2:
192.168.202.71.20 > 192.168.202.55.57429: S 1840682208:1840682208(0)
win 16384 <mss 1460,nop,nop,sackOK> (DF)
Apr 04 01:09:07.185855 rule 0/(match) block in on em2:
192.168.202.71.20 > 192.168.202.55.57429: S 1840682208:1840682208(0)
win 16384 <mss 1460,nop,nop,sackOK> (DF)
Apr 04 01:09:13.201337 rule 0/(match) block in on em2:
192.168.202.71.20 > 192.168.202.55.57429: S 1840682208:1840682208(0)
win 16384 <mss 1460,nop,nop,sackOK> (DF)
Apr 04 01:10:21.429235 rule 0/(match) block in on em2:
192.168.202.71.20 > 192.168.202.55.51027: S 2568324960:2568324960(0)
win 16384 <mss 1460,nop,nop,sackOK> (DF)
Apr 04 01:10:24.309180 rule 0/(match) block in on em2:
192.168.202.71.20 > 192.168.202.55.51027: S 2568324960:2568324960(0)
win 16384 <mss 1460,nop,nop,sackOK> (DF)
Apr 04 01:10:30.324666 rule 0/(match) block in on em2:
192.168.202.71.20 > 192.168.202.55.51027: S 2568324960:2568324960(0)
win 16384 <mss 1460,nop,nop,sackOK> (DF)
Apr 04 01:11:41.492967 rule 0/(match) block in on em2:
192.168.202.71.20 > 192.168.202.55.64632: S 3334967980:3334967980(0)
win 16384 <mss 1460,nop,nop,sackOK> (DF)
Apr 04 01:11:44.510451 rule 0/(match) block in on em2:
192.168.202.71.20 > 192.168.202.55.64632: S 3334967980:3334967980(0)
win 16384 <mss 1460,nop,nop,sackOK> (DF)
Apr 04 01:11:50.525934 rule 0/(match) block in on em2:
192.168.202.71.20 > 192.168.202.55.64632: S 3334967980:3334967980(0)
win 16384 <mss 1460,nop,nop,sackOK> (DF)

Thanks so much..
Thitiporn

Reply via email to