Date: Thu, 7 Jan 2010 15:42:17 -0700 From: Ben Schumacher <me@benschumacher.com> To: Dino Vliet <dino_vliet@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf headaches: why won' t it let me fetch from ftp servers? Message-ID: <9859143f1001071442r78d1db4cp40c02ec6bbbb29a1@mail.gmail.com> In-Reply-To: <452042.31871.qm@web51102.mail.re2.yahoo.com> References: <452042.31871.qm@web51102.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 7, 2010 at 2:38 PM, Dino Vliet <dino_vliet@yahoo.com> wrote:
> Dear freebsd list,
> I have the following pf.conf file:
> tcp_services =3D "{ ftp, ssh, domain, www, auth, https }"
> udp_services =3D "{ ftp, domain, ntp }"
> icmp_types =C2=A0 =3D "echoreq"
> block all
> pass inet proto icmp all icmp-type $icmp_types keep state
> #pass in proto tcp to any port 22 keep state
> pass out proto tcp to any port $tcp_services keep state
> #pass out proto tcp to any port 25 keep state
> #pass out proto tcp to any port 465 keep state
> #pass out proto tcp to any port 587 keep state
> pass out proto tcp to any port 5999 keep state
> #pass out all keep state
> #pass out proto tcp to any keep state
> pass out proto udp to any port $udp_services
>
> However,if I try to fetch a file from a ftp server as in the followining =
example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ
> I get the result: Operation not permitted
> My first question is: What is causing this? If I stop pf, then I' m able =
to fetch it.
> My second question is:Is my ruleset looking fine, as i want to block ever=
ything and only let some specific services go out. Or need t be tightened m=
ore?
> BrgdsDino
Dino-
Default behavior for FTP is that you open connection to server on port
20 and then server opens a connection back to you on another port,
basically. This means that when you have the firewall active your
blocking this inbound connection on the alternate port. The easiest
way to work around this and to get the security of having a firewall
running is to use "PASSIVE" mode in your FTP client, which basically
indicates that the client will open a second connection to the server:
$ fetch -p ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ
There's also an environment variable (FTP_PASSIVE_MODE) that you can
set to default to passive FTP. See fetch(3), but basically set it to
anything besides "no" to set the default.
Cheers,
Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9859143f1001071442r78d1db4cp40c02ec6bbbb29a1>