Date: Thu, 6 Mar 2008 10:34:07 -0800 From: "Michael K. Smith - Adhost" <mksmith@adhost.com> To: "Jeremy Chadwick" <koitsu@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: RE: Confusion about FTP through PF Message-ID: <17838240D9A5544AAA5FF95F8D52031603699CE4@ad-exh01.adhost.lan> In-Reply-To: <20080305011910.GA7678@eos.sc1.parodius.com> References: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> <20080304010216.GA57085@eos.sc1.parodius.com> <17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan> <20080305011910.GA7678@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--PGP_Universal_2987A05B_A6E80269_3540D3AC_66BEDA8E
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE
Hello Jeremy (et. al.):
We found the issue and I wanted to share the solution.
As before, this rule worked as expected:
# --
pass in quick on $vlan2_if inet proto tcp from any to <ftp_servers> port { =
ftp, 49152:65535 } modulate state flags S/SA
# --
However, when the following rule was in place, we couldn't get any ftp traf=
fic to the ftp servers. We tried modifying the rule by replacing ! <ftp_se=
rvers> with individual IP's and server macros, but nothing seemed to fix it=
. However, when we removed the rule entirely, we could ftp to the servers,=
but we could also ftp to the PF devices themselves, which was not what we =
wanted.
#--
block in log quick on $vlan2_if proto tcp from any to ! <ftp_servers> port =
21
#--
Next, we tried this rule, but we experienced the same results.
#--
block in log quick on $vlan2_if proto tcp from any to any port 21 flags S/SA
#--
Finally, we had success.
#--
block in log on $vlan2_if proto tcp from any to <firewall> port 21 flags S/=
SA
#--
Where
#--
table <firewall> const { self }
#--
This allows ftp traffic through the PF firewall to the ftp servers but disa=
llows ftp connections to the PF devices themselves. which are allowed to pa=
ss with
#--
pass in quick on $vlan2_if proto tcp from any to <ftp_servers> port { ftp, =
49152:65535 } modulate state flags S/SA
#--
Thanks again to Jeremy for the various rules and the explanation of ftp met=
hodology, without which we would have gotten stuck with the 49152:65535 por=
t range requirements.
Regards,
Mike
--PGP_Universal_2987A05B_A6E80269_3540D3AC_66BEDA8E
Content-Type: application/pgp-signature;
name="PGP.sig"
Content-Transfer-Encoding: 7BIT
Content-Disposition: attachment;
filename="PGP.sig"
-----BEGIN PGP SIGNATURE-----
Version: 9.8.0 (Build 2158)
iQEVAwUBR9A5H/TXQhZ+XcVAAQjQwwgAt+ZlkrBUetji9UcG4aNnFO+kL8mycGM8
BxT+gQXCt3UizevGBBbGna5dP12VLbaFCSghgoqW6BsEbqZXWk2aWyGPameMtGPW
mA/WZ/IEhLolgJt0wpbqc5AcyyG+dRAFXDt8YMk+CR4Y9zduh9bWUUE7FXpDirMX
fpWxgYxFQSorjWz/uG/Th6RSuufAQGOoJy4d/e8uy62t0J3ptKRFqbgnl4qFaFTG
dKmnSbyhMA5/N9ZFMhtBSlDyfjjmc7uLTP8dYIopka6USuLR2ZYf67l/TABUEjbf
ARjES5GwHb6P42Gr5BW6j44X56Vd7rHf85dieqpmrmuF9nXw52y2zg==
=968B
-----END PGP SIGNATURE-----
--PGP_Universal_2987A05B_A6E80269_3540D3AC_66BEDA8E--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17838240D9A5544AAA5FF95F8D52031603699CE4>