On 03/22/2007 03:17:00 PM, Stuart Henderson wrote:

quoted text
> One thing to watch out for with binat: you can't use it with
> ftp-proxy(8), since binat is of higher priority than the rdr or
> nat rules which are added to the anchor. The workaround there
> is to list nat and rdr separately.

I just figured this out myself.

    binat + ftp-proxy => passive ftp broken

It seems a bit clunky to work-around this in pf.conf
by doing both an rdr and a nat, and having double the
states in consequence.

Instead, how does the design below sound?

The basic idea is to modify ftp-proxy so it adds binat
rules to it's anchors.

ftp-proxy adds a binat rule for every nat rule
added to its anchors.  Like so (based on the man page):

----<snip>-------
      In case of passive mode (PASV or EPSV):

        binat from $client to $server port $port -> $proxy
        nat from $client to $server port $port -> $proxy
        pass in quick inet proto tcp \
            from $client to $server port $port
        pass out quick inet proto tcp \
            from $proxy to $server port $port
----<snip>-------

The ftp-proxy(8) man page could then have something like
this starting the CONFIGURATION section:

----<snip>-------
To make use of the proxy, pf.conf(5) needs the following rules.
The binat-anchor is optional, all other anchors are
mandatory.  The binat-anchor should be filtered so that
it applies to connections initiated by those hosts, and
only those hosts, which are translated with binat rules
further down in the pf rule set.  Applying the binat-anchor
to hosts not translated with binat rules, especially
to connections initiated from the Internet, may be a
security risk.

Adjust the rules as needed.

      In the TABLE section:
        table <binatted_hosts> { 192.168.1.10, 192.168.1.11 }

      At the top of the NAT section:

        binat-anchor "ftp-proxy/*" from <binatted_hosts> to any
        nat-anchor "ftp-proxy/*"
        rdr-anchor "ftp-proxy/*"
        rdr pass on $int_if proto tcp from $lan to any port 21 -> \
            127.0.0.1 port 8021

----<snip>-------


Note that in theory ftp-proxy could use binat all the
time instead of nat.  Not only would this horribly break
backwards compatibility with existing pf configs, it would
require much care when writing pf configs to ensure that
the binat was filtered so that it is used only when
the ftp client initiates a passive ftp data connection.
I can't think of a way to write the binat rule so that
it will only ever apply when the ftp client initiates
a passive data connection.  But then, it's late.
If somebody else can then the binat-anchor config
line in pf.conf becomes simpler, and nat _could_ be
entirely replaced by binat.

Yes Virginia, FTP is ugly.

Regards,

Karl <kop@meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein