我有一台 FreeBSD 服务器,正在尝试让 FTP 运行。如果我禁用 pf,一切就都正常了。
如果我在 pf 运行时连接,我可以成功登录 - 但是只要我运行 ls,我就会得到以下信息:
ftp> ls
229 Entering Extended Passive Mode (|||61162|)
然后什么都没有了……最后我得到了这个:421 服务不可用,远程服务器超时。连接已关闭
我正在复制下面的 pf.conf 文件,如果有人能帮助我,我会非常高兴!
### macro name for external interface.
ext_if = "re0"
allowed_icmp_types = "echoreq"
### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble
### FTP Proxy stuff
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
### set a default deny everything policy.
block log all
### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet
### block anything coming from sources that we have no back routes for.
block in log from no-route to any
### block packets that fail a reverse path check. we look up the routing
### table, check to make sure that the outbound is the same as the source
### it came in on. if not, it is probably source address spoofed.
#block in from urpf-failed to any
### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255
### block packets claiming to come from reserved internal address blocks, as
### they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any
### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN - Finish; end of session
### * S : SYN - Synchronize; indicates request to start session
### * R : RST - Reset; drop a connection
### * P : PUSH - Push; packet is sent immediately
### * A : ACK - Acknowledgement
### * U : URG - Urgent
### * E : ECE - Explicit Congestion Notification Echo
### * W : CWR - Congestion Window Reduced
block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF
### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don't randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
### normally, a client connects to the server and we handshake with them, then
### proceed to exchange data. by telling pf to handshake proxy between the client
### and our server, tcp syn flood attacts from ddos become uneffective because
### a spoofed client cannot complete a handshake.
### set a rule that allows inbound ssh traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state
# Allow icmp
pass in log quick inet proto icmp all icmp-type $allowed_icmp_types keep state
### lets try this
#pass in on $ext_if proto tcp from any to any port ftp flags S/SA synproxy state
pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) user proxy flags S/SA keep state
### NTP allowed
pass in on $ext_if proto tcp from any to any port ntp
pass in on $ext_if proto udp from any to any port ntp
pass out on $ext_if proto tcp to any port ntp
pass out on $ext_if proto udp to any port ntp
### FTP Passive BS
###pass in quick on $ext_if proto tcp from any to any port 30000:60000
pass in on $ext_if proto tcp from any to any port 21 keep state
#pass in on $ext_if proto tcp from any to any port > 49151 keep state
### FTP Outgoing Proxy Stuff
anchor "ftp-proxy/*"
### setup a table and ruleset that prevents excessive abuse by hosts
### that attempt to brute force the ssh daemon with repeated requests.
### any host that hammers more than 3 connections in 5 seconds gets
### all their packet states killed and dropped into a blackhole table.
table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
答案1
显而易见的是 - 您正在运行 ftp-proxy 守护程序,并且您的安全级别 <= 1,对吗?(另请参阅 ftp-proxy(8) 手册页,它可能比我提供的更有帮助 - 我和 FTP 不太合得来)
根据我的经验,FTP 在任何还算不错的防火墙后面都会严重损坏——通常我会放弃并允许来自有限数量的主机的所有出站流量(和状态返回流量),需要执行 FTP 通常可以很好地解决该问题......
答案2
该问题与被动 FTP 使用 21 以外的端口有关。请在此处阅读详细信息:http://slacksite.com/other/ftp.html
通常,如果我设置了一个 FTP 服务器,我会像 voretaq 说的那样将主机列入白名单,或者通常可以设置在 FTP 配置中使用的被动端口范围,然后打开这些端口。