Date: Tue, 4 Mar 2008 17:19:10 -0800 From: Jeremy Chadwick <koitsu@freebsd.org> To: "Michael K. Smith - Adhost" <mksmith@adhost.com> Cc: freebsd-pf@freebsd.org Subject: Re: Confusion about FTP through PF Message-ID: <20080305011910.GA7678@eos.sc1.parodius.com> In-Reply-To: <17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> <20080304010216.GA57085@eos.sc1.parodius.com> <17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 04, 2008 at 11:33:29AM -0800, Michael K. Smith - Adhost wrote: > > pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port { > > ftp, 49152:65535 } modulate state flags S/SA > > > Thanks to Jeremy for the line above which works like a champ. The last piece of the puzzle for me is to block all inbound ftp connections to servers other than my ftp servers. I have the following configuration to that effect. The two servers in the table are associated with valid, outside IP addresses and the table shows up correctly with a 'pfctl -t ftp_servers -T show'. > > table <ftp_servers> persist { \ > $liv_ftp_ext, \ > $uft_01_ext \ > } > > block in log quick on $vlan2_if proto tcp from any to ! <ftp_servers> port 21 > > When I load this rule ftp breaks to everything, including the <ftp_servers> servers. Is it not possible to do a "!" in a block rule or is my syntax fubar? A couple things: 1) What does "breaks to everything" mean? Does it mean the rule starts blocking traffic, or does it mean the rule works as expected but you get "random" disconnects once established, etc? 2) It also depends on where in your pf.conf that rule is located. You're using the "quick" operator, so in the case any incoming packet matches said criteria, rules past that point will not be analysed. This might not be the problem at all, but I thought I'd mention it just in case. 3) I would think that syntax would work, however the pf.conf manpage doesn't seem to indicate that you can a ! with a <table>. It does indicate you can do !1.2.3.4 and so on, but that's not practical in this case. Folks familiar with pf's parser would have to comment on this. There's a logical workaround -- use 2 rules: pass in quick on $vlan2_if proto tcp from any to <ftp_servers> port 21 modulate state flags S/SA block in log quick on $vlan2_if proto tcp from any to any port 21 flags S/SA If this doesn't work, you should consider sniffing the pflog0 interface (I assume you have pflog enabled in rc.conf) and see what's being denied: tcpdump -s 256 -i pflog0 Finally, note that your block entry doesn't specify any TCP flags, so it's going to block everything, rather than just initial SYN and SYN+ACK situations. That can sometimes lead to what I described in #1. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080305011910.GA7678>