Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Jul 2005 14:25:49 -0400
From:      Scott Ullrich <sullrich@gmail.com>
To:        Michael Weiser <michael@weiser.dinsnail.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: pftpx rules not showing in pfctl
Message-ID:  <d5992baf05070711252160e8b1@mail.gmail.com>
In-Reply-To: <20050707181620.GA57981@weiser.dinsnail.net>
References:  <20050707181620.GA57981@weiser.dinsnail.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On 7/7/05, Michael Weiser <michael@weiser.dinsnail.net> wrote:
> Hello,
> 
> this may sound ridiculous but I've actually managed to set up pftpx and
> now can't seem to figure out why it works. :)
> 
> I've compiled pftpx on my FreeBSD-CURRENT box with some minor tweaking
> because of missing stnvis. I added the required rules to my pf.conf:
> 
> nat-anchor "pftpx/*"
> rdr-anchor "pftpx/*"
> rdr on $intif inet proto tcp from any to any port 21 -> 127.0.0.1  port 8021
> 
> and
> 
> anchor "pftpx/*" on $dslif
> pass out quick on $dslif inet proto tcp from $dslif port $unpriv to any port = ftp modulate state (no-sync) flags S/SA label $dslif-out-ftp
> 
> $dslif is xl0 for me. It's present on the anchor because I also have a
> $pppif tun0 which is used occasionally and rules for it are defined
> further down the filter list.
> 
> Anyway. I fired up pftpx -d -D 7 and lo, everything works nicely.
> 
> Then I went and said 'pfctl -a pftpx -s r' whilst running an ftp
> download. No matter what I do, it says the rule list is empty. When
> running it with '-s a' I see that there are entries for the ftp
> connections in the state table, but still no rules.
> 
> Is it supposed to behave that way or should I be seeing some rule
> entries?

First do this:

pfctl -sA -v | grep pftpx

# pfctl -sA -v | grep pftpx
  pftpx
  pftpx/419.1

Then do a:

# pfctl -v -a pftpx/419.1 -sr
pass in log quick inet proto tcp from 204.152.184.73 to 10.0.0.69 port
= commplex-link flags S/FSRA keep state (max 1)
  [ Evaluations: 1071      Packets: 8         Bytes: 501         States: 0     ]
pass out log quick inet proto tcp from 204.152.184.73 to 10.0.0.69
port = commplex-link flags S/FSRA keep state (max 1)
  [ Evaluations: 286       Packets: 8         Bytes: 501         States: 0     ]

This will show your rules. ;)

Regards,

Scott

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d5992baf05070711252160e8b1>