From owner-freebsd-pf@freebsd.org Thu Oct 15 00:04:39 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3EE03A15715 for ; Thu, 15 Oct 2015 00:04:39 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D36CD11EB for ; Thu, 15 Oct 2015 00:04:38 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by wicgb1 with SMTP id gb1so250780850wic.1 for ; Wed, 14 Oct 2015 17:04:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Ah/eU0Qj3Ixe8PAVa9y1ApmUHVyA/7gjSAKDs5yunr8=; b=0p4xhFbIPBjSeYti+QjzAkF6/IzP944rFTXI3jZMcw973MPZEF29P6XmSGDEP/AM2r NhxxJwQDhD9cpXCyOmL+B+EEl/ADo1bCJuVM6zD8mnymTrcJKQcsWxkNxUdLEiLKU79m OR3ZCE0JZF2C7PVG77f5dv5T565uocOM4yAVA84mH2n4bXv7eB1jV6dzq3FU4Oe45v2p yyhvGYzFjrPScIrQhHKBfAjzRE1fXbF99COYXAmHhh2lzOiXSOAU9AIlcpAq2hmsxF9L O4Bqj4KHUKqKxTOSr6lpzfJdKSUnMAAalugWV2xqHj8ppxxXW/Pwr4GzY8d6x0eY4xur J1RQ== MIME-Version: 1.0 X-Received: by 10.180.189.12 with SMTP id ge12mr17405929wic.73.1444867477013; Wed, 14 Oct 2015 17:04:37 -0700 (PDT) Received: by 10.194.162.100 with HTTP; Wed, 14 Oct 2015 17:04:36 -0700 (PDT) Date: Wed, 14 Oct 2015 20:04:36 -0400 Message-ID: Subject: FreeBSD 10, pf and ftp From: David Mehler To: freebsd-pf Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Oct 2015 00:04:39 -0000 Hello, I've got pf and ftp-proxy loading, the latter is listening on 127.0.0.1:8021 and I've got the below rules. Any ftp traffic from the host to an ftp server is not working. Can someone tell me where I messed up with the proxy? Thanks. Dave. # # pf.conf rules # Establish a block by default firewall, allow all outbound traffic, b ut only allow ports on the list inbound # # define the external interface ext_if="vtnet0" # Set options # block-policy can be either drop or return set block-policy drop # Avoid doing anything with the lo0 loopback interface set skip on lo0 scrub on $ext_if all reassemble tcp no-df random-id max-mss 1440 # for the ftp proxy nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat on $ext_if inet from !($ext_if) -> ($ext_if:0) rdr pass on $ext_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 antispoof quick for ($ext_if) # Set up tables for IP blocking table persist table persist file "/etc/pf/zones/cn.zone" table persist file "/etc/pf/zones/ru.zone" icmp_types = "echoreq" icmp6_types = "ipv6-icmp" # Define services we want to allow out tcp_services = "{ ftp-data, ftp, ntp, bootpc, bootps, domain, ssh, smtp, www, https, imap, imaps }" udp_services = "{ bootpc, bootps, domain, ntp }" # block by default block all # Block anything in the childrens table block in quick proto tcp from to any block in quick proto tcp from to any port { 80 22 25 } block in quick proto tcp from to any port { 80 22 25 } # pass out any traffic from the host pass out quick proto tcp to any port $tcp_services keep state pass out quick proto udp to any port $udp_services keep state # Allow ssh connections in from the internet pass in quick inet proto tcp to $ext_if port ssh flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/5, overload flush global) # Pass in http traffic from the internet pass in quick inet proto tcp to $ext_if port 80 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/5, overload flush global) # Pass in https traffic from the internet pass in quick inet proto tcp to $ext_if port 443 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/5, overload flush global) # Pass in smtp traffic from the internet pass in quick inet proto tcp to $ext_if port 25 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/5, overload flush global) # Allow selected icmp types #pass quick inet proto icmp all icmp-type $icmp_types keep state #pass quick inet6 proto ipv6-icmp all icmp-type $icmp6_types keep state # Allow pings out #pass out inet proto icmp all icmp-type $icmp_types keep state # and for ipv6 #pass out inet6 proto icmpv6-icmp all icmp-type $icmp6_types keep state # The above icmp rules aren't working so just allow all of them pass quick inet proto icmp all icmp-type $icmp_types keep state pass quick inet6 proto ipv6-icmp all keep state # For traffic from the ftp proxy anchor "ftp-proxy/*" pass out proto tcp from 127.0.0.1 to any port ftp