Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Mar 2008 17:19:10 -0800
From:      Jeremy Chadwick <koitsu@freebsd.org>
To:        "Michael K. Smith - Adhost" <mksmith@adhost.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Confusion about FTP through PF
Message-ID:  <20080305011910.GA7678@eos.sc1.parodius.com>
In-Reply-To: <17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan>
References:  <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> <20080304010216.GA57085@eos.sc1.parodius.com> <17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 04, 2008 at 11:33:29AM -0800, Michael K. Smith - Adhost wrote:
> > pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port {
> > ftp, 49152:65535 } modulate state flags S/SA
> > 
> Thanks to Jeremy for the line above which works like a champ.  The last piece of the puzzle for me is to block all inbound ftp connections to servers other than my ftp servers.  I have the following configuration to that effect.  The two servers in the table are associated with valid, outside IP addresses and the table shows up correctly with a 'pfctl -t ftp_servers -T show'.
> 
> table <ftp_servers> persist { \                  
>         $liv_ftp_ext, \
>         $uft_01_ext \
>         }           
> 
> block in log quick on $vlan2_if proto tcp from any to ! <ftp_servers> port 21
> 
> When I load this rule ftp breaks to everything, including the <ftp_servers> servers.  Is it not possible to do a "!" in a block rule or is my syntax fubar?

A couple things:

1) What does "breaks to everything" mean?  Does it mean the rule starts
blocking traffic, or does it mean the rule works as expected but you
get "random" disconnects once established, etc?

2) It also depends on where in your pf.conf that rule is located.  You're
using the "quick" operator, so in the case any incoming packet matches
said criteria, rules past that point will not be analysed.  This might
not be the problem at all, but I thought I'd mention it just in case.

3) I would think that syntax would work, however the pf.conf manpage
doesn't seem to indicate that you can a ! with a <table>.  It does
indicate you can do !1.2.3.4 and so on, but that's not practical in this
case.  Folks familiar with pf's parser would have to comment on this.

There's a logical workaround -- use 2 rules:

pass  in     quick on $vlan2_if proto tcp from any to <ftp_servers> port 21 modulate state flags S/SA
block in log quick on $vlan2_if proto tcp from any to any port 21 flags S/SA

If this doesn't work, you should consider sniffing the pflog0 interface
(I assume you have pflog enabled in rc.conf) and see what's being
denied: tcpdump -s 256 -i pflog0

Finally, note that your block entry doesn't specify any TCP flags, so
it's going to block everything, rather than just initial SYN and SYN+ACK
situations.  That can sometimes lead to what I described in #1.

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080305011910.GA7678>