From owner-freebsd-pf@FreeBSD.ORG Tue Mar 4 19:33:30 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E58431065671; Tue, 4 Mar 2008 19:33:30 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from mail-in05.adhost.com (mail-in05.adhost.com [216.211.128.133]) by mx1.freebsd.org (Postfix) with ESMTP id C8B1B8FC18; Tue, 4 Mar 2008 19:33:30 +0000 (UTC) (envelope-from mksmith@adhost.com) Received: from ad-exh01.adhost.lan (unknown [216.211.143.69]) by mail-in05.adhost.com (Postfix) with ESMTP id 1E7AF16481D; Tue, 4 Mar 2008 11:33:29 -0800 (PST) (envelope-from mksmith@adhost.com) MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft Exchange V6.5 x-pgp-mapi-encoding-version: 2.5.0 x-pgp-encoding-format: MIME Content-Type: multipart/signed; boundary="PGP_Universal_15D556F9_5454DFDE_E4976344_1B32EFE7"; protocol="application/pgp-signature"; micalg=pgp-sha1 x-pgp-encoding-version: 2.0.2 Content-class: urn:content-classes:message Date: Tue, 4 Mar 2008 11:33:29 -0800 Message-ID: <17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan> In-Reply-To: <20080304010216.GA57085@eos.sc1.parodius.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Confusion about FTP through PF Thread-Index: Ach9k2XamDqTg51OQ/aJ9nKR9jLRVQAmrzww References: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan> <20080304010216.GA57085@eos.sc1.parodius.com> From: "Michael K. Smith - Adhost" To: "Jeremy Chadwick" Cc: freebsd-pf@freebsd.org Subject: RE: Confusion about FTP through PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Mar 2008 19:33:31 -0000 --PGP_Universal_15D556F9_5454DFDE_E4976344_1B32EFE7 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: QUOTED-PRINTABLE Hello All: > pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port { > ftp, 49152:65535 } modulate state flags S/SA >=20 Thanks to Jeremy for the line above which works like a champ. The last pie= ce of the puzzle for me is to block all inbound ftp connections to servers = other than my ftp servers. I have the following configuration to that effe= ct. The two servers in the table are associated with valid, outside IP add= resses and the table shows up correctly with a 'pfctl -t ftp_servers -T sho= w'. table persist { \ =20 $liv_ftp_ext, \ $uft_01_ext \ } =20 block in log quick on $vlan2_if proto tcp from any to ! port = 21 When I load this rule ftp breaks to everything, including the = servers. Is it not possible to do a "!" in a block rule or is my syntax f= ubar? Regards, Mike --PGP_Universal_15D556F9_5454DFDE_E4976344_1B32EFE7 Content-Type: application/pgp-signature; name="PGP.sig" Content-Transfer-Encoding: 7BIT Content-Disposition: attachment; filename="PGP.sig" -----BEGIN PGP SIGNATURE----- Version: 9.8.0 (Build 2158) iQEVAwUBR82kCfTXQhZ+XcVAAQgWJQf+NEbPWMfnyCuNEeSS7mVyOpJV5Ic69nRq d2uKAUdx/1ZPZ3aUf5T/sQk69nU5hFGPIcVwrcLjvn5ISgE/TMVOCjqc+MfmsNnl DXZLJZXpsf6xMUr2a3c7BOnriZZYrJBryNGT5gJ6AY2QSW9eyHZwgQFZWXkwYwWj c7MXPQKXqxLjVMR3irBM1Pk6i9Ifu+Z96W8UhzbOAsR1YP3nHds2cBoPbxU9+ZuC ECAHVK7agjkh07ds9m5iYmfrRGfdut4mQqxDwcnO2kTqysNd0yW5yulipuzbgvPA nHyPnxVzImIFhDLRTxdRCQ57KgyE4p5JQpY+OStvJm6GxXQ29CLq1w== =9ROT -----END PGP SIGNATURE----- --PGP_Universal_15D556F9_5454DFDE_E4976344_1B32EFE7--