Date: Tue, 4 Mar 2008 11:33:29 -0800 From: "Michael K. Smith - Adhost" <mksmith@adhost.com> To: "Jeremy Chadwick" <koitsu@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: RE: Confusion about FTP through PF Message-ID: <17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan> In-Reply-To: <20080304010216.GA57085@eos.sc1.parodius.com> References: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> <20080304010216.GA57085@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hello All:
> pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port {
> ftp, 49152:65535 } modulate state flags S/SA
>
Thanks to Jeremy for the line above which works like a champ. The last piece of the puzzle for me is to block all inbound ftp connections to servers other than my ftp servers. I have the following configuration to that effect. The two servers in the table are associated with valid, outside IP addresses and the table shows up correctly with a 'pfctl -t ftp_servers -T show'.
table <ftp_servers> persist { \
$liv_ftp_ext, \
$uft_01_ext \
}
block in log quick on $vlan2_if proto tcp from any to ! <ftp_servers> port 21
When I load this rule ftp breaks to everything, including the <ftp_servers> servers. Is it not possible to do a "!" in a block rule or is my syntax fubar?
Regards,
Mike
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: 9.8.0 (Build 2158)
iQEVAwUBR82kCfTXQhZ+XcVAAQgWJQf+NEbPWMfnyCuNEeSS7mVyOpJV5Ic69nRq
d2uKAUdx/1ZPZ3aUf5T/sQk69nU5hFGPIcVwrcLjvn5ISgE/TMVOCjqc+MfmsNnl
DXZLJZXpsf6xMUr2a3c7BOnriZZYrJBryNGT5gJ6AY2QSW9eyHZwgQFZWXkwYwWj
c7MXPQKXqxLjVMR3irBM1Pk6i9Ifu+Z96W8UhzbOAsR1YP3nHds2cBoPbxU9+ZuC
ECAHVK7agjkh07ds9m5iYmfrRGfdut4mQqxDwcnO2kTqysNd0yW5yulipuzbgvPA
nHyPnxVzImIFhDLRTxdRCQ57KgyE4p5JQpY+OStvJm6GxXQ29CLq1w==
=9ROT
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17838240D9A5544AAA5FF95F8D52031603699A2A>