From, an OpenBSD-based firewall
Revision as of 16:00, 26 February 2014 by Erik (talk | contribs)
Jump to: navigation, search

Some protocol may need to be assisted by a proxy in order to work properly through a NAT firewall. It's due to historical design flaws in these protocols that dates back before NAT became widely used. These proxies are disabled by default, and do not support IPv6 by concept (these problems should not be transfered to a IPv6 environment).

FTP proxy

The FTP proxy addresses an issue with outbound FTP connections. If the clients uses active FTP transfers (which should be considered bad and deprecated), it will ask the server to connect back to the client to send data in a separate data connection (instead of the other way around). That isn't a problem if the client isn't behind a NAT firewall and has its on public IP address. If the client is behind a NAT firewall there are the two major technical issues.

  • The client only knows its internal IP address, and asks the server to connect back to it (eg.
  • The firewall isn't configured to forward external traffic on port 12345 to the FTP client.

The ftp-proxy solves this issue by intercepting the outbound FTP connection, replacing the IP address with the external IP address and opening up a temporary port forwarding. This proxy should ONLY be configured on local interfaces. Also note that granting an FTP client the power to open up various ports in the firewall is not in compliance with good security practices.

fw1# set interface emX { ftp-proxy

Caveat: The FTP proxy is not compatible with FTPS.

PPTP proxy

The PPTP proxy addresses an issue where multiple clients behind a NAT firewall tries to connect to the same external PPTP server. PPTP and GRE were never designed to work through a NAT firewall. GRE is considered a "three tuple" protocol by most NAT firewalls (GRE/from/to), unlike TCP/UDP which are "five tuple" and therefore identifies a connection by five unique identifiers (protocol/from/port/to/port). Therefore, two TCP connections to the same host may be identified by different port numbers and thus sent to different internal hosts using the firewalls state table.

The pptp-proxy solves this issue by intercepting the outbound PPTP (port 1723) connection, changes the call id to be unique and routes the GRE traffic according to its own state table, now based on the call id (four tuple). This proxy should ONLY be configured on local interfaces.

fw1# set interface emX { pptp-proxy