From owner-freebsd-questions@FreeBSD.ORG Thu Jan 7 21:38:54 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C163106566C for ; Thu, 7 Jan 2010 21:38:54 +0000 (UTC) (envelope-from dino_vliet@yahoo.com) Received: from web51102.mail.re2.yahoo.com (web51102.mail.re2.yahoo.com [206.190.38.144]) by mx1.freebsd.org (Postfix) with SMTP id AA72C8FC08 for ; Thu, 7 Jan 2010 21:38:53 +0000 (UTC) Received: (qmail 31940 invoked by uid 60001); 7 Jan 2010 21:38:50 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1262900330; bh=bTJ9vcS/g3e5J/w+v2hZ7njcaxMlCF4sC7pPMWW3ZiY=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=GUQ88DX2ipkR13tWlvHXGBf3JP0Ao65pcVaGxt5f1pO7RjuEaU1B+4T3EvNFuMlwKjjvWn+10R7V/PQMg1q7BY2aqOgp1lUadlbmAIoRJcb5Lo8F3QVHhmAncOGexnsFAvwNHvUSfRQB1EPn49xCXInRiCfpaeYrTCf4P2/LiYQ= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=ITvdGE0uUDf42f0OUkl3SUh8TYpqh5HlGOvbweN9CBrd0PnTDRdE7mi8vQ6EldasZLJ5xgHirrJDFJqFCURlnuuVV7JKGj3KzJkFt6iJIygUTXS+eH8Y9MdB/oKEm3oVJvWxrnKTG/l9DXdusmCpQrq6n/AhbuJksCN3XJC0jbs=; Message-ID: <452042.31871.qm@web51102.mail.re2.yahoo.com> X-YMail-OSG: dvA1VWYVM1nVx3WUYA9W6pMZvroI95Ydz6o7.47_YPHmoq.zjHEUmtqCCISdI70KOrY0EZ4LCVZOv2vbcqOtvUov6WeHOsh2c9ytzERhcSUp_kNP_AK3.5l7cetkLfwCXJGII9h0aMtKf46sPOSdYOXVh132JOwgC8FlVgoMnenhC._ZX2KfAYFcdz5GLQdNYwS1Wso_W4FFMTd6w_hqzJQkZ.O8lUahWlRh11pPQhT20TPUwuxyn3IY8GfJE2oTkIt8PFrxGUy3A9grzBmWiZX_Ph1ZPnkaE4XWW23nRTR6zTjvoxOcHxcWKsZgh2kXCUtX6J5x612QBrUBThLYoZSCPkli7C.04K4eOuOgf7EO.1S74mGaUbNxlcHcZhEjPDLMm7XgYnIGz0RPf9eSHwVv0C7FKVzc1EI2DEwrRj6HFneI2Jrlo0gMrD92xp5wCR1YcZ6lO6l90soe7BRByRUG_WSRwYFvrhZq.g-- Received: from [85.144.145.49] by web51102.mail.re2.yahoo.com via HTTP; Thu, 07 Jan 2010 13:38:50 PST X-Mailer: YahooMailClassic/9.0.20 YahooMailWebService/0.8.100.260964 Date: Thu, 7 Jan 2010 13:38:50 -0800 (PST) From: Dino Vliet To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf headaches: why won' t it let me fetch from ftp servers? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 21:38:54 -0000 Dear freebsd list, I have the following pf.conf file: tcp_services =3D "{ ftp, ssh, domain, www, auth, https }" udp_services =3D "{ ftp, domain, ntp }" icmp_types =3D "echoreq" block all pass inet proto icmp all icmp-type $icmp_types keep state #pass in proto tcp to any port 22 keep state pass out proto tcp to any port $tcp_services keep state #pass out proto tcp to any port 25 keep state #pass out proto tcp to any port 465 keep state #pass out proto tcp to any port 587 keep state pass out proto tcp to any port 5999 keep state #pass out all keep state #pass out proto tcp to any keep state pass out proto udp to any port $udp_services However,if I try to fetch a file from a ftp server as in the followining ex= ample:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ I get the result: Operation not permitted My first question is: What is causing this? If I stop pf, then I' m able to= fetch it.=A0 My second question is:Is my ruleset looking fine, as i want to block everyt= hing and only let some specific services go out. Or need t be tightened mor= e? BrgdsDino =0A=0A=0A