Thursday, January 19, 2012

PF supports FTP servers and FTP clients behind NAT

PF supports FTP servers and FTP clients behind NAT

WAN0 IP: 11.11.11.11
WAN1 IP: 22.22.22.22

FTP0 server (behind NAT) IP: 192.168.100.1
FTP1 server (behind NAT) IP: 192.168.100.2

# vim /etc/rc.local
### ftp-proxy for outside world FTP clients accessing internal FTP server behand NAT.
/usr/sbin/setfib 0 /usr/sbin/ftp-proxy -R 192.168.100.1 -p 21 -b 11.11.11.11
/usr/sbin/setfib 1 /usr/sbin/ftp-proxy -R 192.168.100.2 -p 21 -b 22.22.22.22

### Note:
### -b // bind to the external IP.
### -R // redirect to internal FTP server IP.

### ftp-proxy for internal FTP clients behand NAT accessing outside world FTP servers.
/usr/sbin/ftp-proxy -p 8021 -b 127.0.0.1

# vim /etc/pf.conf
### [FTP] RDR DMZ to Outside (through ftp-proxy)
### Note: make sure you have this line "ftpproxy_enable="YES"" in your /etc/rc.conf.
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from $dmz_if/24 to any port 21 -> 127.0.0.1 port 8021

### enabloe log for debugging purpose.
block log all

### [FTP] from ROUTER to ANY
pass out quick log on $wan_if0 proto tcp from $wan_if0 to any port 21 rtable 0
pass out quick log on $wan_if0 proto tcp from $wan_if0 to any port > 1023 rtable 0

pass out quick log on $wan_if1 proto tcp from $wan_if1 to any port 21 rtable 1
pass out quick log on $wan_if1 proto tcp from $wan_if1 to any port > 1023 rtable 1

### [FTP] from ANY to $dmz_ftp0_ip0 $dmz_ftp1_ip0
pass in quick log on $wan_if0 proto tcp from any to $wan_if0 port 21 rtable 0
pass in quick log on $wan_if0 proto tcp from any to $dmz_ftp0_ip0 port 30000:30900 rtable 0
pass in quick log on $wan_if1 proto tcp from any to $wan_if1 port 21 rtable 1
pass in quick log on $wan_if1 proto tcp from any to $dmz_ftp1_ip0 port 30000:30900 rtable 1

pass out quick log on $dmz_if proto tcp from $dmz_if to $dmz_ftp0_ip0 port 21 rtable 0
pass out quick log on $dmz_if proto tcp from $dmz_if to $dmz_ftp0_ip0 port 30000:30900 rtable 0
pass out quick log on $dmz_if proto tcp from $dmz_if to $dmz_ftp1_ip0 port 21 rtable 1
pass out quick log on $dmz_if proto tcp from $dmz_if to $dmz_ftp1_ip0 port 30000:30900 rtable 1

### [FTP] We need to have an anchor for ftp-proxy.
anchor "ftp-proxy/*"

### [FTP] from DMZ to ANY
pass in quick log on $dmz_if proto tcp from $dmz_if/24 to any port 21 rtable 0

Flush the pf.conf setting:
# pfctl -f /etc/pf.conf

Try to connect to ftp:
# ftp ftp.freebsd.org
Name: anonymous
Password: anonymous

No comments: