Date: Sun, 15 Feb 2009 20:01:40 -0600 From: "Dirk R. Gently" <dirk.r.gently@gmail.com> To: freebsd-pf@freebsd.org Subject: pf blocking ftp on firewall/router, what did I overlook? Message-ID: <3f4330ce0902151801t436e266j560fcc900d5a1c74@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Thanks for taking the time to read this. I've tried to fix this but am
unsure how to do it. Any help would be appreciated.
I built a basic pf.conf for a machine to act as a router/firewall. The
problem I'm having is that the pf.conf I built is blocking access to ftp.
I've built in ftp-proxy but if I understand itcorrectly ftp-proxy allows lan
clients through the firewall, what about the router itself? Without this,
I'm unable to update unless I turn off the firewall. Here's my pf.conf:
# Network Interface Cards (NIC)s.
WAN_NIC="gem0"
LAN_NIC="re0"
FTPPORT="8021"
table <blockedip> persist file "/etc/pfblocked.conf"
set block-policy drop
set loginterface $WAN_NIC
set require-order yes
scrub in all
nat on $WAN_NIC from !($WAN_NIC) to any -> ($WAN_NIC:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $LAN_NIC inet proto tcp from $LAN_NIC:network to any port ftp
-> lo0 port $FTPPORT
set skip on lo0
antispoof log for { lo0 $WAN_NIC $LAN_NIC }
block drop in log (all) quick on $WAN_NIC from <blockedip> to any
block in log on $WAN_NIC all
anchor "ftp-proxy/*
pass out on $WAN_NIC proto tcp from ($WAN_NIC) to any $SYNSTATE
pass out on $WAN_NIC proto udp from ($WAN_NIC) to any
pass out on $WAN_NIC inet proto icmp from ($WAN_NIC) to any
I've tested this and pfctl -nf /etc/pf.conf is ok. Any thoughts?
--
Dirk R. Gently - http://linuxtidbits.wordpress.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3f4330ce0902151801t436e266j560fcc900d5a1c74>