ftp proxy, take 2

[fichtner]

Design questions:

• Can / should it be a plugin?
• Should we enable this per interface?
• Should it have its own service page?
• What configuration parameters do we need?

via: https://forum.opnsense.org/index.php?topic=3293.0

[langerma]

i'd put it into the squid config page i do not think a plugin is necessary as squid is in the base system...

i would rather put squid in as plugin

[fichtner]

@langerma squid ftp doesn't really work with data connections ;(

[langerma]

@fichtner ahh i understand...sorry just read the forum post.

[fbrendel]

Hi,

what do you think about the idea not to use the ftp-proxy but netgraph instead?

For example:
If a rule with an (advanced) option "This is FTP traffic" is created then OPNsense

• creates an additional loX interface
• assignes a local address to the new interface
• creates a netgraph node of type ng_ether for the new local interface
• creates a netgraph node of type ng_ftp (yet to be written)
• connects ng_ether.lower hook to the ng_ftp.in hook
• connects the ng_ftp.out hook to the ng_ether.upper hook
• adds redirect rules per pf anchor for packets from source to destination to this local address and vice versa.

Now the FTP control connection goes through loX -> ng_ether.lower -> ng_ftp.in.
ng_ftp takes care of the PORT command and injects the rules for passing/redirecting the data connection and rewrites the PORT command in case of NAT.
Then the traffic leaves ng_ftp.out -> ng_ether.upper.

The benefits are

• user-friendly
• no context switches
• transparent FTP w/o NAT
• no userland process to monitor

The disadvantage is the missing ng_ftp node type. But this can be easily adopt from e.g. ng_tee.

What do you think, is that feasible?

Frank

[fbrendel]

Hmm, either you are on holiday, very busy or the netgraph idea is absolutely nonsense ;-)

Ok, then back to ftp-proxy.

• Can / should it be a plugin?
  I think no, because it's not possible to add the needed anchors dynamically. They are hard coded in filter.inc.

• Should we enable this per interface?
  Also no, because ftp-proxy binds to an IP address not to an interface. And this is more flexible. Imagine you want ftp traffic to a server with an origin address other than to a second server but over the same interface.

• Should it have its own service page?
  Yes. Define as much ftp proxies as you need here.

• What configuration parameters do we need?
  mandatory parameters:

  • the source address for the control connection (-a 1.2.3.4)
  • the port where the proxy will listen for redirected connections (-p 8021)

  optional parameters

  • an option to rewrite the source port to 20 in active mode (-r)
  • debug level (-D 5)
  • set the log flag on pf rules (-v)
  • fixed server address for reverse mode (-R 192.168.1.21)
  • idle timeout for the control connection (-t 86400)
  • queued connections (-q queue)
  • an option to insert forward/filter rules automatically for a list of interfaces

If you need help I can do the job.
With the Development Manual and the Squid service as cheatsheet/template it shouldn't be that difficult.

[fichtner]

Thanks to @fbrendel we now have an implementation in the plugins to be released in a 16.7.x after resolving a few more limitations of the core. :)

opnsense/plugins@e79baf0