From owner-freebsd-pf@FreeBSD.ORG  Thu Mar  6 18:34:13 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B43B11065671;
	Thu,  6 Mar 2008 18:34:13 +0000 (UTC)
	(envelope-from mksmith@adhost.com)
Received: from mail-in03.adhost.com (mail-in03.adhost.com [216.211.128.143])
	by mx1.freebsd.org (Postfix) with ESMTP id 8A4978FC13;
	Thu,  6 Mar 2008 18:34:13 +0000 (UTC)
	(envelope-from mksmith@adhost.com)
Received: from ad-exh01.adhost.lan (unknown [216.211.143.69])
	by mail-in03.adhost.com (Postfix) with ESMTP id 11857119C3A;
	Thu,  6 Mar 2008 10:34:12 -0800 (PST)
	(envelope-from mksmith@adhost.com)
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
x-pgp-mapi-encoding-version: 2.5.0
x-cr-hashedpuzzle: B/s= BTNC B1Xa CHRB DVxC FwrN LR1D NTG8 NslY QfmG QkeE RKVC
	RgpZ R2sd SGFA UIci; 2;
	ZgByAGUAZQBiAHMAZAAtAHAAZgBAAGYAcgBlAGUAYgBzAGQALgBvAHIAZwA7AGsAbwBpAHQAcwB1AEAAZgByAGUAZQBiAHMAZAAuAG8AcgBnAA==;
	Sosha1_v1; 7; {F3B56BD4-8A58-4920-AAAF-E0FCEA14B0D9};
	bQBrAHMAbQBpAHQAaABAAGEAZABoAG8AcwB0AC4AYwBvAG0A;
	Thu, 06 Mar 2008 18:34:07 GMT;
	UgBFADoAIABDAG8AbgBmAHUAcwBpAG8AbgAgAGEAYgBvAHUAdAAgAEYAVABQACAAdABoAHIAbwB1AGcAaAAgAFAARgA=
Content-Type: multipart/signed;
	boundary="PGP_Universal_2987A05B_A6E80269_3540D3AC_66BEDA8E";
	protocol="application/pgp-signature"; micalg=pgp-sha1
x-cr-puzzleid: {F3B56BD4-8A58-4920-AAAF-E0FCEA14B0D9}
x-pgp-encoding-format: MIME
x-pgp-encoding-version: 2.0.2
Content-class: urn:content-classes:message
Date: Thu, 6 Mar 2008 10:34:07 -0800
Message-ID: <17838240D9A5544AAA5FF95F8D52031603699CE4@ad-exh01.adhost.lan>
In-Reply-To: <20080305011910.GA7678@eos.sc1.parodius.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Confusion about FTP through PF
Thread-Index: Ach+Xu1oVuKC5kiMS0qLkYa3Oiu/RgBWGpSA
References: <17838240D9A5544AAA5FF95F8D520316036997D3@ad-exh01.adhost.lan>
	<20080304010216.GA57085@eos.sc1.parodius.com>
	<17838240D9A5544AAA5FF95F8D52031603699A2A@ad-exh01.adhost.lan>
	<20080305011910.GA7678@eos.sc1.parodius.com>
From: "Michael K. Smith - Adhost" <mksmith@adhost.com>
To: "Jeremy Chadwick" <koitsu@freebsd.org>
Cc: freebsd-pf@freebsd.org
Subject: RE: Confusion about FTP through PF
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2008 18:34:13 -0000


--PGP_Universal_2987A05B_A6E80269_3540D3AC_66BEDA8E
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE

Hello Jeremy (et. al.):

We found the issue and I wanted to share the solution.

As before, this rule worked as expected:

# --
pass in quick on $vlan2_if inet proto tcp from any to <ftp_servers> port { =
ftp, 49152:65535 } modulate state flags S/SA
# --

However, when the following rule was in place, we couldn't get any ftp traf=
fic to the ftp servers.  We tried modifying the rule by replacing ! <ftp_se=
rvers> with individual IP's and server macros, but nothing seemed to fix it=
.  However, when we removed the rule entirely, we could ftp to the servers,=
 but we could also ftp to the PF devices themselves, which was not what we =
wanted.

#--
block in log quick on $vlan2_if proto tcp from any to ! <ftp_servers> port =
21
#--

Next, we tried this rule, but we experienced the same results.

#--
block in log quick on $vlan2_if proto tcp from any to any port 21 flags S/SA
#--

Finally, we had success.

#--
block in log on $vlan2_if proto tcp from any to <firewall> port 21 flags S/=
SA
#--

Where

#--
table <firewall> const { self }
#--

This allows ftp traffic through the PF firewall to the ftp servers but disa=
llows ftp connections to the PF devices themselves. which are allowed to pa=
ss with

#--
pass in quick on $vlan2_if proto tcp from any to <ftp_servers> port { ftp, =
49152:65535 } modulate state flags S/SA
#--

Thanks again to Jeremy for the various rules and the explanation of ftp met=
hodology, without which we would have gotten stuck with the 49152:65535 por=
t range requirements.

Regards,

Mike

--PGP_Universal_2987A05B_A6E80269_3540D3AC_66BEDA8E
Content-Type: application/pgp-signature;
	name="PGP.sig"
Content-Transfer-Encoding: 7BIT
Content-Disposition: attachment;
	filename="PGP.sig"

-----BEGIN PGP SIGNATURE-----
Version: 9.8.0 (Build 2158)

iQEVAwUBR9A5H/TXQhZ+XcVAAQjQwwgAt+ZlkrBUetji9UcG4aNnFO+kL8mycGM8
BxT+gQXCt3UizevGBBbGna5dP12VLbaFCSghgoqW6BsEbqZXWk2aWyGPameMtGPW
mA/WZ/IEhLolgJt0wpbqc5AcyyG+dRAFXDt8YMk+CR4Y9zduh9bWUUE7FXpDirMX
fpWxgYxFQSorjWz/uG/Th6RSuufAQGOoJy4d/e8uy62t0J3ptKRFqbgnl4qFaFTG
dKmnSbyhMA5/N9ZFMhtBSlDyfjjmc7uLTP8dYIopka6USuLR2ZYf67l/TABUEjbf
ARjES5GwHb6P42Gr5BW6j44X56Vd7rHf85dieqpmrmuF9nXw52y2zg==
=968B
-----END PGP SIGNATURE-----

--PGP_Universal_2987A05B_A6E80269_3540D3AC_66BEDA8E--