Date: Tue, 5 Jul 2005 09:30:41 -0400 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "Gareth Bailey" <gjbailey@gmail.com>, "freebsd-questions" <freebsd-questions@freebsd.org> Subject: RE: LAN FTP problem with sample PF ruleset Message-ID: <MIEPLLIBMLEEABPDBIEGMEDDHIAA.fbsd_user@a1poweruser.com> In-Reply-To: <48a5f32a050705050979c91efd@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
A sample means they expect you to change it before using.
Do you have FTP working without a firewall in the way???
You have to get that working first.
Do you really have a private LAN behind your firewall box?
The rules you listed will not even load because of syntax errors.
Why worry about getting FTP to pass through PF when you don't even
have any rules loaded into pf yet.
You really need to read the firewall section of the handbook for
background understanding.
Then read the pf man pages. It's all explained in the man pages.
-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Gareth
Bailey
Sent: Tuesday, July 05, 2005 8:10 AM
To: freebsd-questions
Subject: LAN FTP problem with sample PF ruleset
Hi all,
My LAN doesn't have FTP access using the sample PF ruleset from the
openbsd
site.
My rules are as follows, any help as to where I'm going wrong would
be
great, thanks!
RULESET:
# macros
int_if = "xl0"
ext_if = "rl0"
# tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8 <http://127.0.0.0/8>,
0.0.0.0/8<http://0.0.0.0/8>,
192.168.0.0/16 <http://192.168.0.0/16>, 172.16.0.0/12
<http://172.16.0.0/12>,
10.0.0.0/8 <http://10.0.0.0/8>; }"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 ->
127.0.0.1<http://127.0.0.1>port 8021
# filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# pass in on $ext_if proto tcp from any to $comp3 port 80 flags S/SA
synproxy state
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user
proxy flags
S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGMEDDHIAA.fbsd_user>