Date: Mon, 11 Dec 2006 00:09:22 -0800 From: "Fire walls" <fayerwall@gmail.com> To: freebsd-pf@freebsd.org Subject: Problems with pftpx rules. Message-ID: <b61774460612110009v4c6c6a00sa082513ac0a89f9@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi people.
I have been working with pftpx port, because it suppose to have a better
features than ftp-proxy, but maybe i still don't understand how to setup my
rules, i read the manual page and setup my rules this way:
ext_if="tun0"
int_if="fxp0"
local_net="192.168.10.0/24"
tcpflags="flags S/SA"
scrub in all
nat on $ext_if from $local_net to any -> ($ext_if)
nat-anchor "pftpx/*"
rdr-anchor "pftpx/*"
rdr pass on $int_if proto tcp from $local_net to any port 21 -> 127.0.0.1 \
port 8021
#####################################################################
# Filtering #
#####################################################################
# Local LAN
anchor "pftpx/*"
pass in quick on $int_if inet proto tcp from any to any port 21 flags S/SA \
keep state
pass in quick on $int_if inet proto tcp from any to any port 20 flags S/SA \
keep state
pass in quick on $int_if all
pass out quick on $int_if inet proto tcp from any to any port = 21 flags
S/SA \
keep state
pass out quick on $int_if inet proto tcp from any to any port = 20 flags
S/SA \
keep state
pass out quick on $int_if all
# Loopback #
pass in quick on lo0 all
pass out quick on lo0 all
#####################################################################
# tun Interface #
# Inbound #
#####################################################################
#anchor "ftp-proxy/*"
block in all
block out all
pass in quick on $ext_if inet proto udp from X.Y.Z.A to any \
port = 68 keep state
pass in quick on $ext_if inet proto udp from X.Y.Z.B to any \
port = 68 keep state
pass in quick on $ext_if inet proto udp from X.Y.Z.C to any \
port = 68 keep state
pass in quick on $ext_if inet proto udp from X.Y.Z.D to any \
port = 68 keep state
pass in log quick on $ext_if inet proto tcp from any to $ext_if port \
22 flags S/SA keep state
# keep state
block drop in log-all quick on $ext_if from any to any
#####################################################################
# tun Interface #
# Outbound #
#####################################################################
pass out quick on $ext_if inet proto tcp from any to any port = 53 \
$tcpflags keep state
pass out quick on $ext_if inet proto udp from any to any port = 53 \
keep state
pass out quick on $ext_if inet proto udp from any to any port = 67 \
keep state
pass out quick on $ext_if inet proto tcp from any to any port = 80 \
$tcpflags keep state
pass out quick on $ext_if inet proto tcp from any to any port = 443 \
$tcpflags keep state
pass out quick on $ext_if inet proto tcp from any to any port = 25 \
$tcpflags keep state
pass out quick on $ext_if inet proto tcp from any to any port = 110 \
$tcpflags keep state
pass out quick on $ext_if inet proto tcp from any to any port = 37 \
$tcpflags keep state
pass out log-all quick on $ext_if inet proto tcp from any to any port = 21 \
$tcpflags keep state
pass out log-all quick on $ext_if inet proto tcp from any to any port = 20 \
$tcpflags keep state
pass out quick on $ext_if inet proto tcp from any to any port = 22 \
$tcpflags keep state
pass out quick on $ext_if inet proto tcp from any to any port = 23 \
$tcpflags keep state
pass out quick on $ext_if inet proto tcp from any to any port = 5999 \
$tcpflags keep state
pass out quick on $ext_if inet proto tcp from any to any port = 43 \
$tcpflags keep state
pass out quick on $ext_if inet proto udp from any to any port = 123 \
keep state
pass out quick on $ext_if inet proto icmp all keep state
block out log-all quick on $ext_if all
#################################################################
My clients behind my firewall sometines can connect to Internet FTP servers,
sometimes
don't, anothers can access but cannot display any folder, anothers say "No
route to host".
I had been playing with pftpx, if i dont use the rules in my $int_if to let
me pass rules
for ftp and just put
pass in quick on $int_if all
They sometimes cannot reach any ftp server, other times, they access but
went i execute
the command ls, the server waits and get me back 421 service not available,
or no route to host.
Maybe my rules are wrong, did some see where is my mistake?
How can i fix this problem?
Any advice will be apreciate, thanks all for your time.
FreeBSD 6.1-p11.
pftpx from ports.
--
:-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b61774460612110009v4c6c6a00sa082513ac0a89f9>