From owner-freebsd-questions@FreeBSD.ORG Thu Jan 7 22:43:24 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F2851065679 for ; Thu, 7 Jan 2010 22:43:24 +0000 (UTC) (envelope-from Ggatten@waddell.com) Received: from mailhost0.waddell.com (mailhost0.waddell.com [12.154.38.61]) by mx1.freebsd.org (Postfix) with ESMTP id D6AA38FC12 for ; Thu, 7 Jan 2010 22:43:23 +0000 (UTC) Received: from emlpfilt2.waddell.com (mailhost2.waddell.com [10.1.10.30]) by mailhost0.waddell.com (Postfix) with ESMTP id 6EACA508E0; Thu, 7 Jan 2010 16:41:15 -0600 (CST) Received: from emlpfilt2.waddell.com (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 0AB94578F10; Thu, 7 Jan 2010 16:43:13 -0600 (CST) Received: from wadpexf0.waddell.com (wadpexf0.waddell.com [192.168.204.24]) by emlpfilt2.waddell.com (Postfix) with ESMTP id 02B07578F0F; Thu, 7 Jan 2010 16:43:13 -0600 (CST) Received: from WADPEXV0.waddell.com ([192.168.204.25]) by wadpexf0.waddell.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 7 Jan 2010 16:43:13 -0600 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 7 Jan 2010 16:42:26 -0600 Message-ID: <3445_1262904193_4B466381_3445_141_1_70C0964126D66F458E688618E1CD008A08CCF2F3@WADPEXV0.waddell.com> In-Reply-To: <452042.31871.qm@web51102.mail.re2.yahoo.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pf headaches: why won' t it let me fetch from ftp servers? Thread-Index: AcqP4exdULF67t1NT3CpBz3nAbiHqAACHhMg References: <452042.31871.qm@web51102.mail.re2.yahoo.com> From: "Gary Gatten" To: "Dino Vliet" , X-OriginalArrivalTime: 07 Jan 2010 22:43:13.0515 (UTC) FILETIME=[CBA46BB0:01CA8FEA] Cc: Subject: RE: pf headaches: why won' t it let me fetch from ftp servers? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 22:43:24 -0000 I'm not all that familiar with pf syntax, but you know ftp uses ports above= 1023 right? Is pf "stateful" by default so it can allow the ports above 1= 023? Also, make sure you're using passive (PASV) ftp. G -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@f= reebsd.org] On Behalf Of Dino Vliet Sent: Thursday, January 07, 2010 3:39 PM To: freebsd-questions@freebsd.org Subject: pf headaches: why won' t it let me fetch from ftp servers? Dear freebsd list, I have the following pf.conf file: tcp_services =3D "{ ftp, ssh, domain, www, auth, https }" udp_services =3D "{ ftp, domain, ntp }" icmp_types =3D "echoreq" block all pass inet proto icmp all icmp-type $icmp_types keep state #pass in proto tcp to any port 22 keep state pass out proto tcp to any port $tcp_services keep state #pass out proto tcp to any port 25 keep state #pass out proto tcp to any port 465 keep state #pass out proto tcp to any port 587 keep state pass out proto tcp to any port 5999 keep state #pass out all keep state #pass out proto tcp to any keep state pass out proto udp to any port $udp_services However,if I try to fetch a file from a ftp server as in the followining ex= ample:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ I get the result: Operation not permitted My first question is: What is causing this? If I stop pf, then I' m able to= fetch it.=A0 My second question is:Is my ruleset looking fine, as i want to block everyt= hing and only let some specific services go out. Or need t be tightened mor= e? BrgdsDino =20=20=20=20=20=20 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."