Go to main content

Securing the Network in Oracle® Solaris 11.4

Exit Print View

Updated: January 2019
 
 

How to Make FTP Transfers Pass Through PF Doing NAT on Oracle Solaris


Note -  If you do not use PF to do NAT, you can skip this procedure.

    In this task, you use the ftp-proxy service to make FTP transfers pass through PF doing NAT. You need to specify two addresses:

  • The proxy NAT address is the source address for connections to FTP servers.

  • The listening address is where the ftp-proxy service listens.

Before You Begin

To configure the ftp-proxy service, you must become an administrator who is assigned the Network Firewall Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Modify the /etc/firewall/pf.conf file to enable ftp-proxy configuration.

    Adjust the rules as needed. Depending on the rest of the ruleset, the last rule that explicitly enables FTP sessions from the proxy in the following example may not be necessary.

    $ vi /etc/firewall/pf.conf
       ...
       anchor "network:firewall:ftp-proxy:default/*"
           pass in quick inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021
           pass out inet proto tcp from (self) to any port ftp

    If you are not using the default ftp-proxy instance, substitute your instance name for default, as in:

       anchor "network:firewall:ftp-proxy:your-instance/*"
  2. Configure the listening address and the proxy address of the default ftp-proxy service, then verify.
    $ pfbash ftp-proxy -c default -b 127.0.0.1 -a proxy-nat-address
    $ ftp-proxy -c default

    The proxy-nat-address is the public IP address of the FTP client as seen by the server.

  3. (Optional) Configure the listening address and port, and the proxy address of the anonymous ftp-proxy service, then list the configuration.

    This command uses the default listening address, so does not specify it. Specify a different port if you use the default listening address.

    $ ftp-proxy -C anonymous -A on -p port -a proxy-nat-address
    $ ftp-proxy -c anonymous

    If you later decide to allow the anonymous instance to handle all FTP connections, turn anonymous off.

    $ ftp-proxy -c anonymous -A off
  4. Configure your FTP rule set in PF.

    For example:

    ## process the ftp-proxy service's rules
    anchor "ftp/*"
    
    ## redirect ftp connection attempts to the ftp-proxy
      pass in quick inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021
    
    ## allow outgoing ftp connections from the proxy if needed
      pass out inet proto tcp from (self) to any port ftp
    
    ## redirect connections that should be allowed only 
    ## in the anonymous mode to the anonymous ftp-proxy
    ...
  5. (Optional) Log FTP packets or turn off logging that has been enabled.

    Logged FTP packets are sent to the pflog0 capture datalink only.

    1. Add log actions to the FTP rule set.
        pass in quick log inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021
        pass out log inet proto tcp from (self) to any port ftp
    2. Activate logging for the FTP packets, or stop logging.
      $ ftp-proxy -c default -v on /* equivalent to -v in OpenBSD PF */
      $ ftp-proxy -c default -v all/* equivalent to -vv */
      $ ftp-proxy -c default -v off/* stop logging packets */

      For a description of the three log options, see the ftp-proxy (8) man page.

  6. Ensure that the network/socket-filter:pf_divert service is online in the global zone.
    global-zone $ svcs -x svc://network/socket-filter:pf_divert

    If the socket-filter:pf_divert service is not online in the global zone, enable it.

    global-zone $ pfbash svcadm enable socket-filter:pf_divert
  7. Restart the firewall and refresh then enable all ftp-proxy service instances.
    $ pfbash svcadm restart firewall
    $ svcadm refresh ftp-proxy:default
    $ svcadm refresh ftp-proxy:anonymous
    $ svcadm enable ftp-proxy:default
    $ svcadm enable ftp-proxy:anonymous