關于pf的ftp-proxy的問題

bjhb

我的pf.conf中加了
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

加了這一句了8021端口也是起來的，
我現(xiàn)在內網能登入外部的ftp server ,但是驗證完用戶和密碼后就沒無繼續(xù)了說"        建立數(shù)據 socket 失敗",我用tcpdump看好像ftp-server會用一個隨機口連接過來，

我只能在外網口上加上
pass in quick  on $ext_if proto tcp from any to $ext_if port 50000><65000  keep state

允許所以有外網的高端口連接，這樣ftp 才正常

我在想這樣會不會有很大的安全問題啊
請各位說說，大家用 pf的話ftp這塊怎么設也是開放外部高端口進來嗎

congli

ftp服務端使用的端口本來就是>49151的.
但你是出去,是ftp客戶端,應該不需要開啊,反而內網口要放行.
這樣可以不
pass out quick $ext_if proto tcp from any to any port >49151 flags S/SA keep state

bjhb

老大來了啊，
我是ftp客戶端，
理論上是可以的
我試了
pass out quick on $ext_if proto tcp from any to any port >49151 flags S/SA keep state
pass out quick on $int_if proto tcp from any to any port >49151 flags S/SA keep state
我在pf的內外網卡上都做了還是不行，
其實我是有一條pass out quick on $ext_if proto tcp from any to any keep state的
呵呵，但是還是不行，
我tcpdump的結果是ftp server會用隨機端口連接我的$ext_if，
怎么辦。
呢、

congli

pass out quick on $ext_if proto tcp from any to any port >49151 flags S/SA keep state
pass in quick on $int_if proto tcp from any to any port >49151 flags S/SA keep state
方向反了.

bjhb

我哭啊，我改了來了，試了一下還是不行，
按理我是用ftp-proxy的話
pass in quick on $int_if proto tcp from any to any port >49151 flags S/SA keep state

應該是可以不要的因為內網的ftp全部用pf的那臺的外網卡代理了，理論上應該是可以不加的
但是我試過了不管加上或是不加都一樣上不了

congli

把rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
取消吧,現(xiàn)在都不需要ftp-proxy的,

正常情況,以下4條就可以:
pass out quick on $ext_if proto tcp from any to any port 21 flags S/SA keep state
pass out quick on $ext_if proto tcp from any to any port > 49151 flags S/SA keep state

pass in quick on $int_if proto tcp from any to any port > 49151 flags S/SA keep state
pass in quick on $int_if proto tcp from any to any port 21 flags S/SA keep state

bjhb

老大我又測了，我的規(guī)則是：
int_if="fxp2"
ext_if="fxp0"
#nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)

rdr on $int_if proto tcp from  any to any  port 80 -> 127.0.0.1 port 3188
#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

block all

pass out quick on $ext_if proto tcp from any to any port {21,20} flags S/SA keep state
pass out quick on $ext_if proto tcp from any to any port > 49151 flags S/SA keep state
pass in quick on $int_if proto tcp from any to any port > 49151 flags S/SA keep state
pass in quick on $int_if proto tcp from any to any port {21,20} flags S/SA keep state
我想實現(xiàn)的規(guī)則是先默認阻止，然后再開通允行的。但是這樣ftp就用不了，我把上面的block all注掉ftp就可以了。但是這樣會不會也有安全的問題啊，那沒有在列表中列出的規(guī)則他是默認阻止還是允許啊。

congli

再加一句看看
pass in quick on $ext_if proto tcp from any to any port > 49151 flags S/SA keep state

bjhb

回復 8# congli


  老大終于搞定了，原來不用加這句的只要把原來這一句
“pass in quick on $int_if proto tcp from any to any port > 49151 flags S/SA keep state”
改為
“pass in quick on $int_if proto tcp from any to any port {2000><3500,49151><65535} flags S/SA keep state”  就可以了。
不知道 為什么他還要用到2000到3000之間的端口對外連接，我是用tcpdump發(fā)現(xiàn)的，加上這一段端口出去就好了。

congli

呵~原來如此!
tcpdump是個好工具!