From owner-freebsd-pf@FreeBSD.ORG Thu Dec 23 17:28:44 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08D5916A4CE for ; Thu, 23 Dec 2004 17:28:44 +0000 (GMT) Received: from postino-1.etat.lu (postino-1.etat.lu [194.154.205.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E56043D45 for ; Thu, 23 Dec 2004 17:28:43 +0000 (GMT) (envelope-from didier.wiroth@mcesr.etat.lu) Received: from avirus-2.cie.etat.lu (dispatch-2.cie.etat.lu [148.110.137.7]) by postino-1.etat.lu (Postfix) with ESMTP id 53EA7113C3FF for ; Thu, 23 Dec 2004 18:28:41 +0100 (CET) Received: from avirus-2.cie.etat.lu (dispatch-2.cie.etat.lu [148.110.137.7]) by localhost (CIE ESMTP Dispatch 2) with ESMTP id 43A2C33B6E for ; Thu, 23 Dec 2004 18:28:41 +0100 (CET) Received: from hermes-1.cie.etat.lu (hermes-1.cie.etat.lu [148.110.136.56]) 31E82338C1 for ; Thu, 23 Dec 2004 18:28:41 +0100 (CET) Received: from hermes-1.cie.etat.lu (hermes-1.cie.etat.lu [148.110.136.56]) by store.etat.lu (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0I9600858R7TBW20@store.etat.lu> for freebsd-pf@freebsd.org; Thu, 23 Dec 2004 18:28:41 +0100 (MET) Received: from etat.lu ([148.110.136.56]) by store.etat.lu (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0I96008Y9R7THE00@store.etat.lu> for freebsd-pf@freebsd.org; Thu, 23 Dec 2004 18:28:41 +0100 (MET) Received: from [192.168.2.43] (Forwarded-For: [158.64.124.55]) by store.etat.lu (mshttpd); Thu, 23 Dec 2004 18:28:41 +0100 Date: Thu, 23 Dec 2004 18:28:41 +0100 From: Didier Wiroth To: freebsd-pf@freebsd.org Message-id: <2e5ff705f48.41cb0e59@etat.lu> MIME-version: 1.0 X-Mailer: Sun Java(tm) System Messenger Express 6.1 HotFix 0.05 (built Oct 21 2004) Content-type: text/plain; charset=us-ascii Content-language: fr Content-transfer-encoding: 7BIT Content-disposition: inline X-Accept-Language: fr Priority: normal Subject: new passiv ftp /ftp-proxy problem. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2004 17:28:44 -0000 Hi, I'm trying different pf.conf for my home router. I would like to change my actual pf.conf to a default "block all" policy and explicitly allow/open the ports I need. How do you have to modify the below pf.conf sample to allow passiv ftp, is this even possible? Please keep in mind that I want to keep the default "block all". I would like to use ftp-proxy started from inetd like this: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180 As a test, I created a very simple pf.conf, which actually doesn't work: #variables int_if="sis0" ext_if="tun0" # options set block-policy return set loginterface $ext_if # nat on $ext_if from $int_if:network to any -> ($ext_if) static-port rdr on $int_if proto tcp from !$ext_if to !$int_if:network port ftp -> 127.0.0.1 port ftp-proxy pass quick on lo0 all block log-all all #ftp connections pass in on $int_if inet proto tcp from $int_if:network to { $int_if, localhost } port ftp-proxy keep state pass out on $ext_if inet proto tcp from $ext_if to any port ftp keep state user proxy -----------------end snip ---------------- Why isn't this working? Thx a lot