From owner-freebsd-questions@FreeBSD.ORG Fri Jan 8 09:25:15 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69403106566B for ; Fri, 8 Jan 2010 09:25:15 +0000 (UTC) (envelope-from freebsd-questions@pp.dyndns.biz) Received: from proxy2.bredband.net (proxy2.bredband.net [195.54.101.72]) by mx1.freebsd.org (Postfix) with ESMTP id 218A78FC1F for ; Fri, 8 Jan 2010 09:25:14 +0000 (UTC) Received: from ipb2.telenor.se (195.54.127.165) by proxy2.bredband.net (7.3.140.3) id 4AD3E1BC0238C33F for freebsd-questions@freebsd.org; Fri, 8 Jan 2010 10:25:13 +0100 X-SMTPAUTH-B2: X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AglKAH6IRktV4js3PGdsb2JhbACBRJoBAQEBATe4AYIxgX4E X-IronPort-AV: E=Sophos;i="4.49,241,1262559600"; d="scan'208";a="24516842" Received: from c-373be255.107-1-64736c10.cust.bredbandsbolaget.se (HELO gatekeeper.pp.dyndns.biz) ([85.226.59.55]) by ipb2.telenor.se with ESMTP; 08 Jan 2010 10:25:13 +0100 Received: from [192.168.69.67] (phobos [192.168.69.67]) by gatekeeper.pp.dyndns.biz (8.14.3/8.14.3) with ESMTP id o089PB77025712; Fri, 8 Jan 2010 10:25:11 +0100 (CET) (envelope-from freebsd-questions@pp.dyndns.biz) Message-ID: <4B46F9F7.2000706@pp.dyndns.biz> Date: Fri, 08 Jan 2010 10:25:11 +0100 From: =?ISO-8859-1?Q?Morgan_Wesstr=F6m?= User-Agent: Thunderbird 2.0.0.23 (X11/20091010) MIME-Version: 1.0 To: Dino Vliet References: <452042.31871.qm@web51102.mail.re2.yahoo.com> In-Reply-To: <452042.31871.qm@web51102.mail.re2.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: pf headaches: why won' t it let me fetch from ftp servers? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2010 09:25:15 -0000 Dino Vliet wrote: > Dear freebsd list, > I have the following pf.conf file: > tcp_services = "{ ftp, ssh, domain, www, auth, https }" > udp_services = "{ ftp, domain, ntp }" > icmp_types = "echoreq" > block all > pass inet proto icmp all icmp-type $icmp_types keep state > #pass in proto tcp to any port 22 keep state > pass out proto tcp to any port $tcp_services keep state > #pass out proto tcp to any port 25 keep state > #pass out proto tcp to any port 465 keep state > #pass out proto tcp to any port 587 keep state > pass out proto tcp to any port 5999 keep state > #pass out all keep state > #pass out proto tcp to any keep state > pass out proto udp to any port $udp_services > > However,if I try to fetch a file from a ftp server as in the followining example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ > I get the result: Operation not permitted > My first question is: What is causing this? If I stop pf, then I' m able to fetch it. > My second question is:Is my ruleset looking fine, as i want to block everything and only let some specific services go out. Or need t be tightened more? > BrgdsDino The ftp protocol is unfortunately not very firewall friendly and it involves far more ports and connections you have accounted for in your rules. You should have a look at ftp-proxy(8) and closely study the pf examples there. I'm sure it will solve your problem. /Morgan