From owner-freebsd-pf@FreeBSD.ORG Mon Dec 11 08:09:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 862C116A407 for ; Mon, 11 Dec 2006 08:09:23 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0F3843CAC for ; Mon, 11 Dec 2006 08:08:07 +0000 (GMT) (envelope-from fayerwall@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1387213wxc for ; Mon, 11 Dec 2006 00:09:22 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=gJP3iufEnHwExT8I2IJuWfZcMT4YKPtUHo9ft1GiW6H0Evvz7NIvP/GgItY2b/TE6QpxDDagvNsjgNo1xbiXeaKBqjoHgtqQU5h5p2BIp5SCEiUiu7MSoO8p1PSia894VorQ8xOfZ/c2+1aPyIz8fnvV0GiTpsALqr+S5xKRWWk= Received: by 10.90.90.16 with SMTP id n16mr6376048agb.1165824562352; Mon, 11 Dec 2006 00:09:22 -0800 (PST) Received: by 10.90.115.13 with HTTP; Mon, 11 Dec 2006 00:09:22 -0800 (PST) Message-ID: Date: Mon, 11 Dec 2006 00:09:22 -0800 From: "Fire walls" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problems with pftpx rules. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2006 08:09:23 -0000 Hi people. I have been working with pftpx port, because it suppose to have a better features than ftp-proxy, but maybe i still don't understand how to setup my rules, i read the manual page and setup my rules this way: ext_if="tun0" int_if="fxp0" local_net="192.168.10.0/24" tcpflags="flags S/SA" scrub in all nat on $ext_if from $local_net to any -> ($ext_if) nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr pass on $int_if proto tcp from $local_net to any port 21 -> 127.0.0.1 \ port 8021 ##################################################################### # Filtering # ##################################################################### # Local LAN anchor "pftpx/*" pass in quick on $int_if inet proto tcp from any to any port 21 flags S/SA \ keep state pass in quick on $int_if inet proto tcp from any to any port 20 flags S/SA \ keep state pass in quick on $int_if all pass out quick on $int_if inet proto tcp from any to any port = 21 flags S/SA \ keep state pass out quick on $int_if inet proto tcp from any to any port = 20 flags S/SA \ keep state pass out quick on $int_if all # Loopback # pass in quick on lo0 all pass out quick on lo0 all ##################################################################### # tun Interface # # Inbound # ##################################################################### #anchor "ftp-proxy/*" block in all block out all pass in quick on $ext_if inet proto udp from X.Y.Z.A to any \ port = 68 keep state pass in quick on $ext_if inet proto udp from X.Y.Z.B to any \ port = 68 keep state pass in quick on $ext_if inet proto udp from X.Y.Z.C to any \ port = 68 keep state pass in quick on $ext_if inet proto udp from X.Y.Z.D to any \ port = 68 keep state pass in log quick on $ext_if inet proto tcp from any to $ext_if port \ 22 flags S/SA keep state # keep state block drop in log-all quick on $ext_if from any to any ##################################################################### # tun Interface # # Outbound # ##################################################################### pass out quick on $ext_if inet proto tcp from any to any port = 53 \ $tcpflags keep state pass out quick on $ext_if inet proto udp from any to any port = 53 \ keep state pass out quick on $ext_if inet proto udp from any to any port = 67 \ keep state pass out quick on $ext_if inet proto tcp from any to any port = 80 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 443 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 25 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 110 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 37 \ $tcpflags keep state pass out log-all quick on $ext_if inet proto tcp from any to any port = 21 \ $tcpflags keep state pass out log-all quick on $ext_if inet proto tcp from any to any port = 20 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 22 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 23 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 5999 \ $tcpflags keep state pass out quick on $ext_if inet proto tcp from any to any port = 43 \ $tcpflags keep state pass out quick on $ext_if inet proto udp from any to any port = 123 \ keep state pass out quick on $ext_if inet proto icmp all keep state block out log-all quick on $ext_if all ################################################################# My clients behind my firewall sometines can connect to Internet FTP servers, sometimes don't, anothers can access but cannot display any folder, anothers say "No route to host". I had been playing with pftpx, if i dont use the rules in my $int_if to let me pass rules for ftp and just put pass in quick on $int_if all They sometimes cannot reach any ftp server, other times, they access but went i execute the command ls, the server waits and get me back 421 service not available, or no route to host. Maybe my rules are wrong, did some see where is my mistake? How can i fix this problem? Any advice will be apreciate, thanks all for your time. FreeBSD 6.1-p11. pftpx from ports. -- :-)