From owner-freebsd-pf@FreeBSD.ORG Mon Feb 16 02:26:26 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 345651065676 for ; Mon, 16 Feb 2009 02:26:26 +0000 (UTC) (envelope-from dirk.r.gently@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.230]) by mx1.freebsd.org (Postfix) with ESMTP id 09D718FC16 for ; Mon, 16 Feb 2009 02:26:25 +0000 (UTC) (envelope-from dirk.r.gently@gmail.com) Received: by rv-out-0506.google.com with SMTP id f6so1525792rvb.43 for ; Sun, 15 Feb 2009 18:26:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=Ibzb+wzak3SikuV7oo7hqDvq0kVrysjYNW7ke3GuANk=; b=oeUdnKBYujx+awoxAGC1GMTeGAZmmWIa05UeKgVLaEBy2G4WjbJmeIMoScdv3SmQjF uURogoddcJxonJ7+KCG2D+RxBDy1wEPjFlID5kmtrV5u3WxW0PrfHGIcg9JY18a04e1S gxp30s1vwXFoBc4W+Uxurw8+rvwunvGkH5CuA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=H6JzP2NtXd+rnEkL+5dyXK8J7Cwe9pF45wOfwCIYIenE8vAUH6O/oQjaxAuBpe2J45 pnEsidMwUSa7r/SDJlood++TxYydVcFY2HCam1h077Rp7ysRuAwAkPyA2Z8be+l6VODG H4hxDJRbR6hDgBye8ejBdLVaqCCn32NaMttp8= MIME-Version: 1.0 Received: by 10.142.223.4 with SMTP id v4mr1520112wfg.11.1234749700939; Sun, 15 Feb 2009 18:01:40 -0800 (PST) Date: Sun, 15 Feb 2009 20:01:40 -0600 Message-ID: <3f4330ce0902151801t436e266j560fcc900d5a1c74@mail.gmail.com> From: "Dirk R. Gently" To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf blocking ftp on firewall/router, what did I overlook? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2009 02:26:26 -0000 Thanks for taking the time to read this. I've tried to fix this but am unsure how to do it. Any help would be appreciated. I built a basic pf.conf for a machine to act as a router/firewall. The problem I'm having is that the pf.conf I built is blocking access to ftp. I've built in ftp-proxy but if I understand itcorrectly ftp-proxy allows lan clients through the firewall, what about the router itself? Without this, I'm unable to update unless I turn off the firewall. Here's my pf.conf: # Network Interface Cards (NIC)s. WAN_NIC="gem0" LAN_NIC="re0" FTPPORT="8021" table persist file "/etc/pfblocked.conf" set block-policy drop set loginterface $WAN_NIC set require-order yes scrub in all nat on $WAN_NIC from !($WAN_NIC) to any -> ($WAN_NIC:0) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on $LAN_NIC inet proto tcp from $LAN_NIC:network to any port ftp -> lo0 port $FTPPORT set skip on lo0 antispoof log for { lo0 $WAN_NIC $LAN_NIC } block drop in log (all) quick on $WAN_NIC from to any block in log on $WAN_NIC all anchor "ftp-proxy/* pass out on $WAN_NIC proto tcp from ($WAN_NIC) to any $SYNSTATE pass out on $WAN_NIC proto udp from ($WAN_NIC) to any pass out on $WAN_NIC inet proto icmp from ($WAN_NIC) to any I've tested this and pfctl -nf /etc/pf.conf is ok. Any thoughts? -- Dirk R. Gently - http://linuxtidbits.wordpress.com/