服务器 Gind.cn
  1. 服务器 Gind.cn
  3. FreeBSD + PF +被动防火墙=沮丧
Intereting Posts
RHEL 6.1上的KVM使主机缓慢 Proftpd:如何将用户主目录的默认根目录设置为用户? Node.JS systemd服务将不会重新启动 升级到Debian 6.0.7和服务器现在不启动 如何find我的服务器上的字体的path? 在Prem上joinAzure AD会创build新的Windowsconfiguration文件? 服务器从一个位置移动到另一个位置的故障率是多less? 是否有可能阻止用户离开他们的主目录? 创buildOutlookconfiguration文件在Citrix应用程序会话上 星号:用“ast_yyerror” DNS合并,如何服务内部networking和互联网 SSH进入未知IP的机器 远程桌面解决scheme的教学 代理ip从nginx到docker/ gwt 当我使用virt-install –import时,virsh vol-list –pool默认返回null

FreeBSD + PF +被动防火墙=沮丧

我有一个FreeBSD服务器,我试图让FTP工作。 如果我禁用PF,一切都很好。

如果我在pf运行时连接,我可以成功login – 但只要运行ls,我就可以得到这个结果: 

ftp> ls 229 Entering Extended Passive Mode (|||61162|)

然后什么都没有..最终我得到这个:421服务不可用,远程服务器超时。 连接closures

如果有人能帮我,我会复制下面的pf.conf文件。 

 ### macro name for external interface. ext_if = "re0" allowed_icmp_types = "echoreq" ### all incoming traffic on external interface is normalized and fragmented ### packets are reassembled. scrub in on $ext_if all fragment reassemble ### FTP Proxy stuff nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 ### set a default deny everything policy. block log all ### exercise antispoofing on the external interface, but add the local ### loopback interface as an exception, to prevent services utilizing the ### local loop from being blocked accidentally. set skip on lo0 antispoof for $ext_if inet ### block anything coming from sources that we have no back routes for. block in log from no-route to any ### block packets that fail a reverse path check. we look up the routing ### table, check to make sure that the outbound is the same as the source ### it came in on. if not, it is probably source address spoofed. #block in from urpf-failed to any ### drop broadcast requests quietly. block in quick on $ext_if from any to 255.255.255.255 ### block packets claiming to come from reserved internal address blocks, as ### they are obviously forged and cannot be contacted from the outside world. block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any ### block probes that can possibly determine our operating system by disallowing ### certain combinations that are commonly used by nmap, queso and xprobe2, who ### are attempting to fingerprint the server. ### * F : FIN - Finish; end of session ### * S : SYN - Synchronize; indicates request to start session ### * R : RST - Reset; drop a connection ### * P : PUSH - Push; packet is sent immediately ### * A : ACK - Acknowledgement ### * U : URG - Urgent ### * E : ECE - Explicit Congestion Notification Echo ### * W : CWR - Congestion Window Reduced block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in log quick on $ext_if proto tcp flags /WEUAPRSF block in log quick on $ext_if proto tcp flags SR/SR block in log quick on $ext_if proto tcp flags SF/SF ### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of ### outgoing packets. (initial sequence number) broken operating systems ### sometimes don't randomize this number, making it guessable. pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state ### normally, a client connects to the server and we handshake with them, then ### proceed to exchange data. by telling pf to handshake proxy between the client ### and our server, tcp syn flood attacts from ddos become uneffective because ### a spoofed client cannot complete a handshake. ### set a rule that allows inbound ssh traffic with synproxy handshaking. pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state ### set a rule that allows inbound www traffic with synproxy handshaking. pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state # Allow icmp pass in log quick inet proto icmp all icmp-type $allowed_icmp_types keep state ### lets try this #pass in on $ext_if proto tcp from any to any port ftp flags S/SA synproxy state pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) user proxy flags S/SA keep state ### NTP allowed pass in on $ext_if proto tcp from any to any port ntp pass in on $ext_if proto udp from any to any port ntp pass out on $ext_if proto tcp to any port ntp pass out on $ext_if proto udp to any port ntp ### FTP Passive BS ###pass in quick on $ext_if proto tcp from any to any port 30000:60000 pass in on $ext_if proto tcp from any to any port 21 keep state #pass in on $ext_if proto tcp from any to any port > 49151 keep state ### FTP Outgoing Proxy Stuff anchor "ftp-proxy/*" ### setup a table and ruleset that prevents excessive abuse by hosts ### that attempt to brute force the ssh daemon with repeated requests. ### any host that hammers more than 3 connections in 5 seconds gets ### all their packet states killed and dropped into a blackhole table. table <ssh_abuse> persist block in quick from <ssh_abuse> pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)

为了说明这一点,你正在运行ftp-proxy守护进程,并且你的securelevel <= 1,对吗? (另请参阅ftp-proxy(8)手册页,这可能比我更有帮助 – FTP和我不相处)

根据我的经验,FTP在任何中途防火墙后面都是可怕的 – 通常我放弃并允许所有需要做FTP的主机的所有出站stream量(&有状态返回stream量),这通常很好地解决了这个问题。

这个问题与Passive FTP使用21以外的端口有关。阅读这里: http : //slacksite.com/other/ftp.html

通常,如果我安装了一个FTP服务器,我会把voretaq这样的主机列入白名单,或者您通常可以在FTPconfiguration中设置被动端口范围,然后打开这些端口。