From owner-freebsd-questions@FreeBSD.ORG Thu Jan 7 22:42:23 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA09A1065670 for ; Thu, 7 Jan 2010 22:42:23 +0000 (UTC) (envelope-from benschumacher@gmail.com) Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by mx1.freebsd.org (Postfix) with ESMTP id 9D2C18FC0C for ; Thu, 7 Jan 2010 22:42:22 +0000 (UTC) Received: by pwi15 with SMTP id 15so13360243pwi.3 for ; Thu, 07 Jan 2010 14:42:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=AZMOdgDxGVgPgx9MohAD4RHONJbEf5HV+VkaseN+j9s=; b=mA8zL2Zh6o4PgqW8Q49Kewhvm2xb4oiEkUrxE6H2NXy4yMSmN6kLelW2pDmrl9oE/W +7Ma1ifAILXXzIO/FPxxvIA/WFv1T4LVSDbymE3cAsE5dFdcnxwkRuxTzvxlAzAF1T3f LkfNMtXwtZ/2A6K8k3pYS1LwYL5okst51Kp5o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=V2w8KJReJnPIunoxBvBbTXcD6IXw+D3BwUy1IY8yXRndOHpRMjSC8NxoMM7l2HV3Ru Pg2WB5MGfgpDwo9xkjLhXxEahwvoMPo3L37YnZc1aUhkgaL3c5D3RELF9LSg5Dq9QC0x qwJ5Y03EfLPwmr0lkdEV+8GAPhlBnocZAyLkA= MIME-Version: 1.0 Sender: benschumacher@gmail.com Received: by 10.142.248.23 with SMTP id v23mr4042327wfh.212.1262904137200; Thu, 07 Jan 2010 14:42:17 -0800 (PST) In-Reply-To: <452042.31871.qm@web51102.mail.re2.yahoo.com> References: <452042.31871.qm@web51102.mail.re2.yahoo.com> Date: Thu, 7 Jan 2010 15:42:17 -0700 X-Google-Sender-Auth: 68b470feaa73c76e Message-ID: <9859143f1001071442r78d1db4cp40c02ec6bbbb29a1@mail.gmail.com> From: Ben Schumacher To: Dino Vliet Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: pf headaches: why won' t it let me fetch from ftp servers? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 22:42:23 -0000 On Thu, Jan 7, 2010 at 2:38 PM, Dino Vliet wrote: > Dear freebsd list, > I have the following pf.conf file: > tcp_services =3D "{ ftp, ssh, domain, www, auth, https }" > udp_services =3D "{ ftp, domain, ntp }" > icmp_types =C2=A0 =3D "echoreq" > block all > pass inet proto icmp all icmp-type $icmp_types keep state > #pass in proto tcp to any port 22 keep state > pass out proto tcp to any port $tcp_services keep state > #pass out proto tcp to any port 25 keep state > #pass out proto tcp to any port 465 keep state > #pass out proto tcp to any port 587 keep state > pass out proto tcp to any port 5999 keep state > #pass out all keep state > #pass out proto tcp to any keep state > pass out proto udp to any port $udp_services > > However,if I try to fetch a file from a ftp server as in the followining = example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ > I get the result: Operation not permitted > My first question is: What is causing this? If I stop pf, then I' m able = to fetch it. > My second question is:Is my ruleset looking fine, as i want to block ever= ything and only let some specific services go out. Or need t be tightened m= ore? > BrgdsDino Dino- Default behavior for FTP is that you open connection to server on port 20 and then server opens a connection back to you on another port, basically. This means that when you have the firewall active your blocking this inbound connection on the alternate port. The easiest way to work around this and to get the security of having a firewall running is to use "PASSIVE" mode in your FTP client, which basically indicates that the client will open a second connection to the server: $ fetch -p ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ There's also an environment variable (FTP_PASSIVE_MODE) that you can set to default to passive FTP. See fetch(3), but basically set it to anything besides "no" to set the default. Cheers, Ben