In this task, you use the ftp-proxy service to make FTP transfers pass through PF doing NAT. You need to specify two addresses:
The proxy NAT address is the source address for connections to FTP servers.
The listening address is where the ftp-proxy service listens.
Before You Begin
To configure the ftp-proxy service, you must become an administrator who is assigned the Network Firewall Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
Adjust the rules as needed. Depending on the rest of the ruleset, the last rule that explicitly enables FTP sessions from the proxy in the following example may not be necessary.
$ vi /etc/firewall/pf.conf ... anchor "network:firewall:ftp-proxy:default/*" pass in quick inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass out inet proto tcp from (self) to any port ftp
If you are not using the default ftp-proxy instance, substitute your instance name for default, as in:
anchor "network:firewall:ftp-proxy:your-instance/*"
$ pfbash ftp-proxy -c default -b 127.0.0.1 -a proxy-nat-address $ ftp-proxy -c default
The proxy-nat-address is the public IP address of the FTP client as seen by the server.
This command uses the default listening address, so does not specify it. Specify a different port if you use the default listening address.
$ ftp-proxy -C anonymous -A on -p port -a proxy-nat-address $ ftp-proxy -c anonymous
If you later decide to allow the anonymous instance to handle all FTP connections, turn anonymous off.
$ ftp-proxy -c anonymous -A off
## process the ftp-proxy service's rules anchor "ftp/*" ## redirect ftp connection attempts to the ftp-proxy pass in quick inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021 ## allow outgoing ftp connections from the proxy if needed pass out inet proto tcp from (self) to any port ftp ## redirect connections that should be allowed only ## in the anonymous mode to the anonymous ftp-proxy ...
Logged FTP packets are sent to the pflog0 capture datalink only.
pass in quick log inet proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass out log inet proto tcp from (self) to any port ftp
$ ftp-proxy -c default -v on /* equivalent to -v in OpenBSD PF */ $ ftp-proxy -c default -v all/* equivalent to -vv */ $ ftp-proxy -c default -v off/* stop logging packets */
For a description of the three log options, see the ftp-proxy (8) man page.
global-zone $ svcs -x svc://network/socket-filter:pf_divert
If the socket-filter:pf_divert service is not online in the global zone, enable it.
global-zone $ pfbash svcadm enable socket-filter:pf_divert
$ pfbash svcadm restart firewall $ svcadm refresh ftp-proxy:default $ svcadm refresh ftp-proxy:anonymous $ svcadm enable ftp-proxy:default $ svcadm enable ftp-proxy:anonymous