Date: Sun, 15 Feb 2009 20:01:40 -0600 From: "Dirk R. Gently" <dirk.r.gently@gmail.com> To: freebsd-pf@freebsd.org Subject: pf blocking ftp on firewall/router, what did I overlook? Message-ID: <3f4330ce0902151801t436e266j560fcc900d5a1c74@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Thanks for taking the time to read this. I've tried to fix this but am unsure how to do it. Any help would be appreciated. I built a basic pf.conf for a machine to act as a router/firewall. The problem I'm having is that the pf.conf I built is blocking access to ftp. I've built in ftp-proxy but if I understand itcorrectly ftp-proxy allows lan clients through the firewall, what about the router itself? Without this, I'm unable to update unless I turn off the firewall. Here's my pf.conf: # Network Interface Cards (NIC)s. WAN_NIC="gem0" LAN_NIC="re0" FTPPORT="8021" table <blockedip> persist file "/etc/pfblocked.conf" set block-policy drop set loginterface $WAN_NIC set require-order yes scrub in all nat on $WAN_NIC from !($WAN_NIC) to any -> ($WAN_NIC:0) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on $LAN_NIC inet proto tcp from $LAN_NIC:network to any port ftp -> lo0 port $FTPPORT set skip on lo0 antispoof log for { lo0 $WAN_NIC $LAN_NIC } block drop in log (all) quick on $WAN_NIC from <blockedip> to any block in log on $WAN_NIC all anchor "ftp-proxy/* pass out on $WAN_NIC proto tcp from ($WAN_NIC) to any $SYNSTATE pass out on $WAN_NIC proto udp from ($WAN_NIC) to any pass out on $WAN_NIC inet proto icmp from ($WAN_NIC) to any I've tested this and pfctl -nf /etc/pf.conf is ok. Any thoughts? -- Dirk R. Gently - http://linuxtidbits.wordpress.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3f4330ce0902151801t436e266j560fcc900d5a1c74>