From owner-freebsd-pf@FreeBSD.ORG Thu Dec 23 19:32:40 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D896F16A4CE for ; Thu, 23 Dec 2004 19:32:40 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0ADD543D2F for ; Thu, 23 Dec 2004 19:32:40 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.179] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ChYhS-0004Ee-00; Thu, 23 Dec 2004 20:32:38 +0100 Received: from [217.83.15.89] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1ChYhS-0004A2-00; Thu, 23 Dec 2004 20:32:38 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 23 Dec 2004 20:32:34 +0100 User-Agent: KMail/1.7.1 References: <2e5ff705f48.41cb0e59@etat.lu> In-Reply-To: <2e5ff705f48.41cb0e59@etat.lu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1643264.AoPFmoflAK"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412232032.36565.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Didier Wiroth Subject: Re: new passiv ftp /ftp-proxy problem. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2004 19:32:41 -0000 --nextPart1643264.AoPFmoflAK Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 23 December 2004 18:28, Didier Wiroth wrote: > Hi, > > I'm trying different pf.conf for my home router. I would like to change > my actual pf.conf to a default "block all" policy and explicitly > allow/open the ports I need. > > How do you have to modify the below pf.conf sample to allow passiv ftp, is > this even possible? Please keep in mind that I want to keep the default > "block all". > > I would like to use ftp-proxy started from inetd like this: > ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy=20 > ftp-proxy -u proxy -m 55000 -M 57000 -t 180 > > As a test, I created a very simple pf.conf, which actually doesn't work: > #variables > int_if=3D"sis0" > ext_if=3D"tun0" > > # options > set block-policy return > set loginterface $ext_if > > # > nat on $ext_if from $int_if:network to any -> ($ext_if) static-port > rdr on $int_if proto tcp from !$ext_if to !$int_if:network port ftp -> > 127.0.0.1 port ftp-proxy > > pass quick on lo0 all > block log-all all > > #ftp connections > pass in on $int_if inet proto tcp from $int_if:network to \ > { $int_if, localhost } port ftp-proxy keep state=20 > pass out on $ext_if inet proto tcp from $ext_if to any port ftp \ > keep state user proxy =20 Add at least: pass in on $ext_if inet proto tcp from any to ($ext_if) port 55000:57000 \ keep state user proxy > > -----------------end snip ---------------- > Why isn't this working? You can also watch "$tcpdump -n -e -ttt -i pflog0" to see what is dropped. = You=20 will quickly figure what belongs to your ftp connection and what you need t= o=20 enable. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1643264.AoPFmoflAK Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBByx1UXyyEoT62BG0RAs1XAJsGVHoO1Vo/NN2cd5G9VfgSK7kx3gCffUEv belCytQWNqrE6/gqdn3Lz6M= =d1GR -----END PGP SIGNATURE----- --nextPart1643264.AoPFmoflAK--