From owner-freebsd-pf@FreeBSD.ORG Thu Jan 7 21:02:51 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79C9510656A4 for ; Thu, 7 Jan 2010 21:02:51 +0000 (UTC) (envelope-from j65nko@gmail.com) Received: from mail-ew0-f226.google.com (mail-ew0-f226.google.com [209.85.219.226]) by mx1.freebsd.org (Postfix) with ESMTP id 0F1368FC25 for ; Thu, 7 Jan 2010 21:02:50 +0000 (UTC) Received: by ewy26 with SMTP id 26so17105561ewy.3 for ; Thu, 07 Jan 2010 13:02:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=0/c3S5juV8H1Q3VX5QvsxRtc62yZgFFnxSlpX4Pqszw=; b=HWnzCCrRr+5dcW5VgL5xFMuR3eQMakh3OEV0Lnob0Y16beAbX+q+j3h3l8lvhIJE5Y bboBtHeDVzh/06m2OiKuKF+UFRit+fWmKDc/8V5eVKsqDwMQIwy9zSy3KXgizI5Hfdw3 hO2c4YeAZNvJfw6atTHPdnGRcCn5MzMLlcw6Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Wsn07/CNRlroFVNwLzCZXH0n6MTrIpWckUgnbzUgkLIi72lwRDVAebqzTO1rmwIjz3 bD0zNicwTaDbluE5j5RnYA/yMuHTpWZl8rHt6JvzOw30qHQ2Yz+l7AHbcBvfKcgR4lYW 3UsF5taNgMsWesNs4sKxGvksnp56BPzONqAhA= MIME-Version: 1.0 Received: by 10.213.23.144 with SMTP id r16mr10182940ebb.41.1262896647329; Thu, 07 Jan 2010 12:37:27 -0800 (PST) In-Reply-To: <2cf1d0681001071216p6b516e9egcf7401f2b38e3c3d@mail.gmail.com> References: <7731938b1001060923n5de4b511of07b8c63cff4e011@mail.gmail.com> <2cf1d0681001071216p6b516e9egcf7401f2b38e3c3d@mail.gmail.com> Date: Thu, 7 Jan 2010 21:37:27 +0100 Message-ID: <19861fba1001071237ncc440d5u1ab280d2aaf0c72f@mail.gmail.com> From: J65nko To: "M. Keith Thompson" Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: ftp problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 21:02:51 -0000 > # SSH from NetEng subnet > pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port > 22 keep state > > # Allow inside network to ping the server > pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state > > # Allow DNS lookups > pass out quick on $ext_if proto udp to any port 53 > pass out quick on $ext_if proto tcp to any port 53 keep state > > # Allow ftp > pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep state > pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep state > pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP > port 20 keep state > > --- end of pf.conf ---------------------- To prevent problems with TCP window scaling you should create state on only the first packet of the 3 way TCP handshake, the packet with only the Syn flag set. With pf you do this by using 'keep state flags S/SA". This TCP window scaling issue is explained by Daniel Hartmeier, pf hacker, in http://undeadly.org/cgi?action=article&sid=20060928081238 under the section "Create TCP states on the initial SYN packet" BTW I wonder why you don't use the pf ftp-proxy, and why you allow active ftp transfers ;)