Date: Thu, 7 Jan 2010 16:42:26 -0600 From: "Gary Gatten" <Ggatten@waddell.com> To: "Dino Vliet" <dino_vliet@yahoo.com>, <freebsd-questions@freebsd.org> Subject: RE: pf headaches: why won' t it let me fetch from ftp servers? Message-ID: <3445_1262904193_4B466381_3445_141_1_70C0964126D66F458E688618E1CD008A08CCF2F3@WADPEXV0.waddell.com> In-Reply-To: <452042.31871.qm@web51102.mail.re2.yahoo.com> References: <452042.31871.qm@web51102.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm not all that familiar with pf syntax, but you know ftp uses ports above=
1023 right? Is pf "stateful" by default so it can allow the ports above 1=
023? Also, make sure you're using passive (PASV) ftp.
G
-----Original Message-----
From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@f=
reebsd.org] On Behalf Of Dino Vliet
Sent: Thursday, January 07, 2010 3:39 PM
To: freebsd-questions@freebsd.org
Subject: pf headaches: why won' t it let me fetch from ftp servers?
Dear freebsd list,
I have the following pf.conf file:
tcp_services =3D "{ ftp, ssh, domain, www, auth, https }"
udp_services =3D "{ ftp, domain, ntp }"
icmp_types =3D "echoreq"
block all
pass inet proto icmp all icmp-type $icmp_types keep state
#pass in proto tcp to any port 22 keep state
pass out proto tcp to any port $tcp_services keep state
#pass out proto tcp to any port 25 keep state
#pass out proto tcp to any port 465 keep state
#pass out proto tcp to any port 587 keep state
pass out proto tcp to any port 5999 keep state
#pass out all keep state
#pass out proto tcp to any keep state
pass out proto udp to any port $udp_services
However,if I try to fetch a file from a ftp server as in the followining ex=
ample:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ
I get the result: Operation not permitted
My first question is: What is causing this? If I stop pf, then I' m able to=
fetch it.=A0
My second question is:Is my ruleset looking fine, as i want to block everyt=
hing and only let some specific services go out. Or need t be tightened mor=
e?
BrgdsDino
=20=20=20=20=20=20
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
<font size=3D"1">
<div style=3D'border:none;border-bottom:double windowtext 2.25pt;padding:0i=
n 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3445_1262904193_4B466381_3445_141_1_70C0964126D66F458E688618E1CD008A08CCF2F3>