Date: Mon, 31 Oct 2011 02:47:48 -0700 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: Damien Fleuriot <ml@my.gd> Cc: G??t Andr??s <andrej@antiszoc.hu>, freebsd-stable@freebsd.org Subject: Re: pf rdr rule question - corrected Message-ID: <20111031094748.GA6313@icarus.home.lan> In-Reply-To: <4EAE6538.4030001@my.gd> References: <c677c67c90aed9e568895aaee0039732@antiszoc.hu> <4EAE6538.4030001@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 31, 2011 at 10:07:04AM +0100, Damien Fleuriot wrote: > On 10/31/11 12:04 AM, G??t Andr??s wrote: > > Dear All, > > > > I'd like to have the following ruleset, for pure-ftpd passive port range: > > > > (pasv and past mistyping corrected) > > > > --- > > ftp_pasv_start="X" > > ftp_pasv_end="Y" > > > > rdr on $netif inet proto tcp from any to $internalip port > > $ftp_pasv_start:$ftp_pasv_end -> $internalip > > > > pass in quick on $netif proto tcp from any to $internalip port > > $ftp_pasv_start >< $ftp_pasv_end keep state flags S/SA > > > > pass in quick on $netif proto tcp from any to $internalip port > $ftp_pasv_start:$ftp_pasv_end > > > Both keep state and flags S/SA are default, you don't need to write them. The OP did not disclose what version of FreeBSD they're using and as such may actually need the directives. I've talked about this at length before -- please see this post which includes which FreeBSD versions effectively need these directives: http://markmail.org/message/ch6w5gwne7rfzfz5 On "older" FreeBSD, failure to include these directives will result in completely broken TCP socket behaviour: http://permalink.gmane.org/gmane.os.freebsd.devel.pf4freebsd/3990 -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111031094748.GA6313>