Date: Fri, 08 Jan 2010 10:25:11 +0100 From: =?ISO-8859-1?Q?Morgan_Wesstr=F6m?= <freebsd-questions@pp.dyndns.biz> To: Dino Vliet <dino_vliet@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf headaches: why won' t it let me fetch from ftp servers? Message-ID: <4B46F9F7.2000706@pp.dyndns.biz> In-Reply-To: <452042.31871.qm@web51102.mail.re2.yahoo.com> References: <452042.31871.qm@web51102.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dino Vliet wrote: > Dear freebsd list, > I have the following pf.conf file: > tcp_services = "{ ftp, ssh, domain, www, auth, https }" > udp_services = "{ ftp, domain, ntp }" > icmp_types = "echoreq" > block all > pass inet proto icmp all icmp-type $icmp_types keep state > #pass in proto tcp to any port 22 keep state > pass out proto tcp to any port $tcp_services keep state > #pass out proto tcp to any port 25 keep state > #pass out proto tcp to any port 465 keep state > #pass out proto tcp to any port 587 keep state > pass out proto tcp to any port 5999 keep state > #pass out all keep state > #pass out proto tcp to any keep state > pass out proto udp to any port $udp_services > > However,if I try to fetch a file from a ftp server as in the followining example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ > I get the result: Operation not permitted > My first question is: What is causing this? If I stop pf, then I' m able to fetch it. > My second question is:Is my ruleset looking fine, as i want to block everything and only let some specific services go out. Or need t be tightened more? > BrgdsDino The ftp protocol is unfortunately not very firewall friendly and it involves far more ports and connections you have accounted for in your rules. You should have a look at ftp-proxy(8) and closely study the pf examples there. I'm sure it will solve your problem. /Morgan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B46F9F7.2000706>