From owner-freebsd-stable@FreeBSD.ORG Mon Oct 31 09:47:50 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A77EA106564A for ; Mon, 31 Oct 2011 09:47:50 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta01.westchester.pa.mail.comcast.net (qmta01.westchester.pa.mail.comcast.net [76.96.62.16]) by mx1.freebsd.org (Postfix) with ESMTP id 6A2958FC13 for ; Mon, 31 Oct 2011 09:47:50 +0000 (UTC) Received: from omta03.westchester.pa.mail.comcast.net ([76.96.62.27]) by qmta01.westchester.pa.mail.comcast.net with comcast id rMm21h00E0bG4ec51MnqJG; Mon, 31 Oct 2011 09:47:50 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta03.westchester.pa.mail.comcast.net with comcast id rMnp1h00l1t3BNj3PMnpPi; Mon, 31 Oct 2011 09:47:50 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 1EAA5102C19; Mon, 31 Oct 2011 02:47:48 -0700 (PDT) Date: Mon, 31 Oct 2011 02:47:48 -0700 From: Jeremy Chadwick To: Damien Fleuriot Message-ID: <20111031094748.GA6313@icarus.home.lan> References: <4EAE6538.4030001@my.gd> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4EAE6538.4030001@my.gd> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: G??t Andr??s , freebsd-stable@freebsd.org Subject: Re: pf rdr rule question - corrected X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2011 09:47:50 -0000 On Mon, Oct 31, 2011 at 10:07:04AM +0100, Damien Fleuriot wrote: > On 10/31/11 12:04 AM, G??t Andr??s wrote: > > Dear All, > > > > I'd like to have the following ruleset, for pure-ftpd passive port range: > > > > (pasv and past mistyping corrected) > > > > --- > > ftp_pasv_start="X" > > ftp_pasv_end="Y" > > > > rdr on $netif inet proto tcp from any to $internalip port > > $ftp_pasv_start:$ftp_pasv_end -> $internalip > > > > pass in quick on $netif proto tcp from any to $internalip port > > $ftp_pasv_start >< $ftp_pasv_end keep state flags S/SA > > > > pass in quick on $netif proto tcp from any to $internalip port > $ftp_pasv_start:$ftp_pasv_end > > > Both keep state and flags S/SA are default, you don't need to write them. The OP did not disclose what version of FreeBSD they're using and as such may actually need the directives. I've talked about this at length before -- please see this post which includes which FreeBSD versions effectively need these directives: http://markmail.org/message/ch6w5gwne7rfzfz5 On "older" FreeBSD, failure to include these directives will result in completely broken TCP socket behaviour: http://permalink.gmane.org/gmane.os.freebsd.devel.pf4freebsd/3990 -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |