From owner-freebsd-questions@FreeBSD.ORG Tue Jul 5 12:09:52 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86F6516A41C for ; Tue, 5 Jul 2005 12:09:52 +0000 (GMT) (envelope-from gjbailey@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4004543D49 for ; Tue, 5 Jul 2005 12:09:52 +0000 (GMT) (envelope-from gjbailey@gmail.com) Received: by wproxy.gmail.com with SMTP id i21so856092wra for ; Tue, 05 Jul 2005 05:09:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=ppuKSNefa6sJ0RFWOiUMI0ntgYwlZCNzgsQ9oz7e4uV3/EquFDNd9XMllzPMrY8B2qpxckIzUejYn/2o/yz334zm29twGxpfrxfPM29LsJPllsCN+6jVdjL93Qute3KrcbvvHQzt840Z31UvOQQCUvXv6pZIeQlSJVSxqKImOio= Received: by 10.54.107.9 with SMTP id f9mr589797wrc; Tue, 05 Jul 2005 05:09:51 -0700 (PDT) Received: by 10.54.82.12 with HTTP; Tue, 5 Jul 2005 05:09:51 -0700 (PDT) Message-ID: <48a5f32a050705050979c91efd@mail.gmail.com> Date: Tue, 5 Jul 2005 14:09:51 +0200 From: Gareth Bailey To: freebsd-questions Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: LAN FTP problem with sample PF ruleset X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Gareth Bailey List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 12:09:52 -0000 Hi all,=20 My LAN doesn't have FTP access using the sample PF ruleset from the openbsd= =20 site. My rules are as follows, any help as to where I'm going wrong would be=20 great, thanks! RULESET: # macros int_if =3D "xl0" ext_if =3D "rl0" # tcp_services =3D "{ 22, 113 }" icmp_types =3D "echoreq" priv_nets =3D "{ 127.0.0.0/8 , 0.0.0.0/8,=20 192.168.0.0/16 , 172.16.0.0/12 ,=20 10.0.0.0/8 }" # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1port 8021 # filter rules block all pass quick on lo0 all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets # pass in on $ext_if proto tcp from any to $comp3 port 80 flags S/SA=20 synproxy state pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flag= s=20 S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state