Date: Fri, 08 Jan 2010 10:25:11 +0100 From: =?ISO-8859-1?Q?Morgan_Wesstr=F6m?= <freebsd-questions@pp.dyndns.biz> To: Dino Vliet <dino_vliet@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf headaches: why won' t it let me fetch from ftp servers? Message-ID: <4B46F9F7.2000706@pp.dyndns.biz> In-Reply-To: <452042.31871.qm@web51102.mail.re2.yahoo.com> References: <452042.31871.qm@web51102.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dino Vliet wrote:
> Dear freebsd list,
> I have the following pf.conf file:
> tcp_services = "{ ftp, ssh, domain, www, auth, https }"
> udp_services = "{ ftp, domain, ntp }"
> icmp_types = "echoreq"
> block all
> pass inet proto icmp all icmp-type $icmp_types keep state
> #pass in proto tcp to any port 22 keep state
> pass out proto tcp to any port $tcp_services keep state
> #pass out proto tcp to any port 25 keep state
> #pass out proto tcp to any port 465 keep state
> #pass out proto tcp to any port 587 keep state
> pass out proto tcp to any port 5999 keep state
> #pass out all keep state
> #pass out proto tcp to any keep state
> pass out proto udp to any port $udp_services
>
> However,if I try to fetch a file from a ftp server as in the followining example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ
> I get the result: Operation not permitted
> My first question is: What is causing this? If I stop pf, then I' m able to fetch it.
> My second question is:Is my ruleset looking fine, as i want to block everything and only let some specific services go out. Or need t be tightened more?
> BrgdsDino
The ftp protocol is unfortunately not very firewall friendly and it
involves far more ports and connections you have accounted for in your
rules. You should have a look at ftp-proxy(8) and closely study the pf
examples there. I'm sure it will solve your problem.
/Morgan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B46F9F7.2000706>