From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 04:13:27 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 502D016A4CF for ; Sun, 19 Dec 2004 04:13:27 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A6E743D55 for ; Sun, 19 Dec 2004 04:13:26 +0000 (GMT) (envelope-from sam.wun@authtec.com) Received: (qmail 91381 invoked from network); 19 Dec 2004 04:12:56 -0000 Received: from unknown (HELO [192.168.4.70]) (samwun@hgcbroadband.com@[221.126.236.217]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 19 Dec 2004 04:12:56 -0000 Message-ID: <41C4FF9F.1050807@authtec.com> Date: Sun, 19 Dec 2004 12:12:15 +0800 From: sam wun User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <41C3B6CE.4080704@authtec.com> <200412180557.00999.max@love2party.net> <41C3BA23.5070207@authtec.com> <200412181714.51674.max@love2party.net> In-Reply-To: <200412181714.51674.max@love2party.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Add new PF rules from C. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 04:13:27 -0000 Max Laier wrote: >On Saturday 18 December 2004 06:03, sam wun wrote: > > >>Thanks for the sugestion. I use pfctl -ss found some Established state, >>the sample code works great. >>I would like to write a C program add rule to PF base on based on user >>defined anchor and tables. Where can I find more inforamtion and >>guideline about doing that? >> >> > >Look at pfctl(8) (src/contrib/pf/pfctl/...) it's all in there. The code is >quite readable and it should be easy to determine what to hand to the various >ioctls. In most of the cases you don't really need to write your own C code. >Most of the time it should be sufficient to exec() pfctl(8) and pipe rules to >it. Take a look at the spamd port (mail/spamd) which does just that. You >might need a fdescfs(5) in order to drop root privs and use the -p option. >But that should all be obvious from the spamd code. > > > Thanks for the guideline. I think I will go for the hard way instead of using exec(), it will be more efficient at the end. The add_rule() function is quite useful to look at. Thanks again Sam. From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 04:55:00 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2896216A4CE for ; Sun, 19 Dec 2004 04:55:00 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2EFCE43D46 for ; Sun, 19 Dec 2004 04:54:59 +0000 (GMT) (envelope-from sam.wun@authtec.com) Received: (qmail 9315 invoked from network); 19 Dec 2004 04:54:57 -0000 Received: from unknown (HELO [192.168.4.70]) (samwun@hgcbroadband.com@[221.126.236.217]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 19 Dec 2004 04:54:57 -0000 Message-ID: <41C5097B.5020606@authtec.com> Date: Sun, 19 Dec 2004 12:54:19 +0800 From: sam wun User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <41C3B6CE.4080704@authtec.com> <200412180557.00999.max@love2party.net> <41C3BA23.5070207@authtec.com> <200412181714.51674.max@love2party.net> In-Reply-To: <200412181714.51674.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: DIOCCHANGERULE may be used in PF? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 04:55:00 -0000 Hi, I m not sure whether ssp_pf.c file should use DIOCADDADDR instead of DIOCCHANGERULE. As I looked into authpf.c file in function add_pool(), authpf only use DIOCADDADDR for adding new rule to PF. I also want to find out where does DIOCCHANGERULE used in PF, but nothing is found except in the man page: # cd src/contrib/pf # grep -r DIOCCHANGERULE * man/pf.4:for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls. man/pf.4:DIOCADDRULE or DIOCCHANGERULE call. man/pf.4:.It Dv DIOCCHANGERULE Fa "struct pfioc_rule" DIOCCHANGERULE may not be used. If I want to add new rule in PF, I may be need to use DIOCADDADDR rather than DIOCCHANGERULE. Any comment? Thanks Sam Max Laier wrote: >On Saturday 18 December 2004 06:03, sam wun wrote: > > >>Thanks for the sugestion. I use pfctl -ss found some Established state, >>the sample code works great. >>I would like to write a C program add rule to PF base on based on user >>defined anchor and tables. Where can I find more inforamtion and >>guideline about doing that? >> >> > >Look at pfctl(8) (src/contrib/pf/pfctl/...) it's all in there. The code is >quite readable and it should be easy to determine what to hand to the various >ioctls. In most of the cases you don't really need to write your own C code. >Most of the time it should be sufficient to exec() pfctl(8) and pipe rules to >it. Take a look at the spamd port (mail/spamd) which does just that. You >might need a fdescfs(5) in order to drop root privs and use the -p option. >But that should all be obvious from the spamd code. > > > From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 05:36:47 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA88516A4CE for ; Sun, 19 Dec 2004 05:36:47 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 320B043D1F for ; Sun, 19 Dec 2004 05:36:47 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Cfth7-0000JI-00; Sun, 19 Dec 2004 06:33:25 +0100 Received: from [80.131.159.125] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Cfth6-0002Pr-00; Sun, 19 Dec 2004 06:33:25 +0100 From: Max Laier To: sam wun Date: Sun, 19 Dec 2004 06:33:14 +0100 User-Agent: KMail/1.7.1 References: <41C3B6CE.4080704@authtec.com> <200412181714.51674.max@love2party.net> <41C5097B.5020606@authtec.com> In-Reply-To: <41C5097B.5020606@authtec.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2787088.tuf9rFICE4"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412190633.24331.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org Subject: Re: DIOCCHANGERULE may be used in PF? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 05:36:47 -0000 --nextPart2787088.tuf9rFICE4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 19 December 2004 05:54, sam wun wrote: > I m not sure whether ssp_pf.c file should use DIOCADDADDR instead of > DIOCCHANGERULE. ssp_pf.c ?!? > As I looked into authpf.c file in function add_pool(), authpf only use > DIOCADDADDR for adding new rule to PF. DIOCADDADDR does *not* add a rule. DIOCADDRULE does that (and a subsequent= =20 DIOCCOMMITRULES). > I also want to find out where does DIOCCHANGERULE used in PF, but > nothing is found except in the man page: > # cd src/contrib/pf > # grep -r DIOCCHANGERULE * > man/pf.4:for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls. > man/pf.4:DIOCADDRULE or DIOCCHANGERULE call. > man/pf.4:.It Dv DIOCCHANGERULE Fa "struct pfioc_rule" > > DIOCCHANGERULE may not be used. If I want to add new rule in PF, I may > be need to use DIOCADDADDR rather than DIOCCHANGERULE. > > Any comment? erm? I am having a hard time understanding what you mean. DIOCCHANGERULE works and may be used, but it is not easy to use. It is much= =20 easier to have an anchor and add new rules into that anchor as a complete=20 ruleset. This is how it's done in authpf and spamd. Otherwise you have to=20 keep track of to many things. Non of the default pf tools uses DIOCCHANGERU= LE=20 as it is not convenient to change rules. As rulesets can be committed=20 atomically it's much easier to replace a ruleset completely or to use=20 anchors. Anchors is the way to go most of the time. Look at authpf(8) for details. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2787088.tuf9rFICE4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBxRKkXyyEoT62BG0RAqRMAKCBaEnHBK6ZcOPb1sogJrn45utvngCfQgxh gLFEb/cpqbv5EerS3f2dh2I= =T57t -----END PGP SIGNATURE----- --nextPart2787088.tuf9rFICE4-- From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 05:46:37 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5044D16A4CE for ; Sun, 19 Dec 2004 05:46:37 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A9C043D39 for ; Sun, 19 Dec 2004 05:46:36 +0000 (GMT) (envelope-from sam.wun@authtec.com) Received: (qmail 35424 invoked from network); 19 Dec 2004 05:46:34 -0000 Received: from unknown (HELO [192.168.4.70]) (samwun@hgcbroadband.com@[221.126.236.217]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 19 Dec 2004 05:46:34 -0000 Message-ID: <41C51590.2000303@authtec.com> Date: Sun, 19 Dec 2004 13:45:52 +0800 From: sam wun User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <41C3B6CE.4080704@authtec.com> <200412181714.51674.max@love2party.net> <41C5097B.5020606@authtec.com> <200412190633.24331.max@love2party.net> In-Reply-To: <200412190633.24331.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: DIOCCHANGERULE may be used in PF? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 05:46:37 -0000 Max Laier wrote: >On Sunday 19 December 2004 05:54, sam wun wrote: > > >>I m not sure whether ssp_pf.c file should use DIOCADDADDR instead of >>DIOCCHANGERULE. >> >> Sorry for the typos, I mean DIOCADDRULE. > >ssp_pf.c ?!? > > > Sorry to publish this file. This is a specific file in a plugin program I used. It currently having few problem, I m tring to fix it. >>As I looked into authpf.c file in function add_pool(), authpf only use >>DIOCADDADDR for adding new rule to PF. >> >> > >DIOCADDADDR does *not* add a rule. DIOCADDRULE does that (and a subsequent >DIOCCOMMITRULES). > > > Yeah, I need to change it to DIOCADDRULE, a mistake when I did a copy and paste. And I forgot the use of DIOCCOMMITRULES. Does DIOCCOMMITRULES get invoked each time when calling DIOCADDRULE? >>I also want to find out where does DIOCCHANGERULE used in PF, but >>nothing is found except in the man page: >># cd src/contrib/pf >># grep -r DIOCCHANGERULE * >>man/pf.4:for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls. >>man/pf.4:DIOCADDRULE or DIOCCHANGERULE call. >>man/pf.4:.It Dv DIOCCHANGERULE Fa "struct pfioc_rule" >> >>DIOCCHANGERULE may not be used. If I want to add new rule in PF, I may >>be need to use DIOCADDADDR rather than DIOCCHANGERULE. >> >>Any comment? >> >> > >erm? I am having a hard time understanding what you mean. > > You may be have understood more about my question now. Sorry for the typos again. >DIOCCHANGERULE works and may be used, but it is not easy to use. It is much >easier to have an anchor and add new rules into that anchor as a complete >ruleset. This is how it's done in authpf and spamd. Otherwise you have to >keep track of to many things. Non of the default pf tools uses DIOCCHANGERULE >as it is not convenient to change rules. As rulesets can be committed >atomically it's much easier to replace a ruleset completely or to use >anchors. > > > This may be the problem with the original ssp_pf.c file, it used DIOCCHANGERULE thru out the entire operational of adding rules. As you said, I will need to use DIOCADDRULE and DIOCCOMMITERULES for adding new rules to PF. >Anchors is the way to go most of the time. Look at authpf(8) for details. > > > Yeah, I found this is a very good reference to look at. Thanks Sam From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 14:28:12 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45DBA16A4CE for ; Sun, 19 Dec 2004 14:28:12 +0000 (GMT) Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FD3143D31 for ; Sun, 19 Dec 2004 14:28:11 +0000 (GMT) (envelope-from sam.wun@authtec.com) Received: (qmail 40281 invoked from network); 19 Dec 2004 14:28:09 -0000 Received: from unknown (HELO [192.168.4.70]) (samwun@hgcbroadband.com@[221.126.236.217]) (envelope-sender ) by localhost (qmail-ldap-1.03) with SMTP for ; 19 Dec 2004 14:28:09 -0000 Message-ID: <41C58FCE.8070609@authtec.com> Date: Sun, 19 Dec 2004 22:27:26 +0800 From: sam wun User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <41C3B6CE.4080704@authtec.com> <200412181714.51674.max@love2party.net> <41C5097B.5020606@authtec.com> <200412190633.24331.max@love2party.net> In-Reply-To: <200412190633.24331.max@love2party.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: PFDEV Device busy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 14:28:12 -0000 Hi, I know this is going to be difficult to help, anyway I'll give it a shoot to see if any can help me out... I tried to incorporate DIOCADDRULE in this plugins by making 2 different changes: //rule.action = PF_CHANGE_GET_TICKET; rule.action = PF_RULESET_FILTER; //if(ioctl(pfdev, DIOCCHANGERULE, &rule)<0) if(ioctl(pfdev, DIOCADDRULE, &rule)<0) { snprintf(msg, sizeof(msg) - 1, "Error: DIOCADDRULE 1 (auto=1) : %s. PF plugin disabled.", strerror(errno)); .... } By executing the program, I got the following error message: Error: DIOCADDRULE 1: Device busy. PF plugin disabled. I m not sure how to debug this error. Any idea? Thanks Sam From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 17:51:11 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 594AA16A4CE for ; Sun, 19 Dec 2004 17:51:11 +0000 (GMT) Received: from ms-smtp-02-eri0.ohiordc.rr.com (ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A9F543D4C for ; Sun, 19 Dec 2004 17:51:11 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (dhcp065-031-041-029.woh.rr.com [65.31.41.29]) iBJHp8Jl002692 for ; Sun, 19 Dec 2004 12:51:08 -0500 (EST) Message-ID: <001301c4e5f3$2d5e87c0$0400a8c0@satellite> From: "dave" To: Date: Sun, 19 Dec 2004 12:50:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: pf and ftp client X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dave List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 17:51:11 -0000 Hello, I've got a 5.3 box running pf. I want to use it as an ftp client, it's already going through a nat firewall. My problem is when i try to download a port via make install and any ftp url is referenced the site can not be contacted. I'm not sure which mode this is using active or passive. This machine has only one nic in it. I have included my relevant ftp pf rules below. Any help appreciated. Thanks. pf.conf: # options set loginterface none set optimization normal set block-policy drop scrub in on $ext_if all scrub out all random-id max-mss 1440 # nat ftp-proxy rdr on $ext_if proto tcp from any to any port 21 -> $ext_addr port 8021 # activate spoofing protection for the internal interface. antispoof quick for $ext_if inet # allow active ftp, passive is handled # by the ftp-proxy and the nat rdr rule pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state # allow out ftp pass out quick on $ext_if proto tcp from any to any port = 21 flags S/SA modulate state From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 19:03:56 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B73F416A4CE for ; Sun, 19 Dec 2004 19:03:56 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42A0743D49 for ; Sun, 19 Dec 2004 19:03:56 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.206] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Cg6LT-0005ns-00; Sun, 19 Dec 2004 20:03:55 +0100 Received: from [80.131.159.125] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Cg6LS-0000RE-00; Sun, 19 Dec 2004 20:03:55 +0100 From: Max Laier To: freebsd-pf@freebsd.org, dave Date: Sun, 19 Dec 2004 20:03:47 +0100 User-Agent: KMail/1.7.1 References: <001301c4e5f3$2d5e87c0$0400a8c0@satellite> In-Reply-To: <001301c4e5f3$2d5e87c0$0400a8c0@satellite> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4819341.zuZo3mWgxB"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412192003.54145.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: pf and ftp client X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 19:03:56 -0000 --nextPart4819341.zuZo3mWgxB Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 19 December 2004 18:50, dave wrote: > Hello, > I've got a 5.3 box running pf. I want to use it as an ftp client, it's > already going through a nat firewall. My problem is when i try to download > a port via make install and any ftp url is referenced the site can not be > contacted. I'm not sure which mode this is using active or passive. This > machine has only one nic in it. I have included my relevant ftp pf rules > below. > Any help appreciated. > Thanks. =46irst verify that ftp works without pf. i.e. does your nat firewall suppo= rt=20 ftp at all? Depending on the other firewall you might not need ftp-proxy at= =20 all (or it might not be possible to use ftp at all). Without details about= =20 that other firewall's setup I can only guess. > pf.conf: > > # options > set loginterface none > set optimization normal > set block-policy drop > > scrub in on $ext_if all > scrub out all random-id max-mss 1440 > > # nat ftp-proxy > rdr on $ext_if proto tcp from any to any port 21 -> $ext_addr port 8021 > > # activate spoofing protection for the internal interface. > antispoof quick for $ext_if inet > > # allow active ftp, passive is handled > # by the ftp-proxy and the nat rdr rule > pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy > flags S/SA keep state This is wrong. If you want passive mode to work you have to allow: "in from any to any user proxy" as described in the ftp-proxy(8) manpage. > # allow out ftp > pass out quick on $ext_if proto tcp from any to any port =3D 21 flags S/SA > modulate state =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4819341.zuZo3mWgxB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBxdCaXyyEoT62BG0RAl5DAJ9sAatTcaTnbNTMGv52BjGY0GU1ogCfciVI D2ZT5MuSpd5hAa86Fb9Nb8g= =lXz9 -----END PGP SIGNATURE----- --nextPart4819341.zuZo3mWgxB-- From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 19:46:26 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDA2516A4CE for ; Sun, 19 Dec 2004 19:46:26 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55A4943D55 for ; Sun, 19 Dec 2004 19:46:26 +0000 (GMT) (envelope-from mbarrerar@gmail.com) Received: by rproxy.gmail.com with SMTP id f1so28349rne for ; Sun, 19 Dec 2004 11:46:25 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:content-type:content-transfer-encoding; b=EG/iiMVzCSOSRZb7BYgNuG+rE8/AecyeL7WN3cCsGvAQxtMkKrNo88kwm/Ab80a9NHHkg7OGiUjEKSZU/G6BTMICv7As5bCSdwFdlbN7RzgXfRPMCatLx7cBoHUQVqqVKQY73/36CaF0RfJjd0WxtZTkGPg12Gm2ZBpMwFbZJ0c= Received: by 10.38.22.69 with SMTP id 69mr610781rnv; Sun, 19 Dec 2004 11:46:25 -0800 (PST) Received: from ?200.73.82.41? ([200.73.82.41]) by smtp.gmail.com with ESMTP id 59sm237509rnb.2004.12.19.11.46.24; Sun, 19 Dec 2004 11:46:25 -0800 (PST) Message-ID: <41C5DA96.4000907@gmail.com> Date: Sun, 19 Dec 2004 16:46:30 -0300 From: Mbarrera User-Agent: Mozilla Thunderbird 1.0 (X11/20041217) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pflogd not log X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 19:46:26 -0000 Hello I read http://lists.freebsd.org/pipermail/freebsd-pf/2004-September/000484.html my problem is #pflogd #ps aux | grep pflogd root 1665 0.0 0.2 1532 960 p0 R+ 4:44PM 0:00.00 grep pflogd (No work in back) # cat /var/log/messages Dec 19 16:44:20 kernel: pflog0: promiscuous mode enabled Dec 19 16:44:20 kernel: pflog0: promiscuous mode disabled Freebsd 5.3-Release-P2 thx From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 20:48:30 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 142FF16A4CE for ; Sun, 19 Dec 2004 20:48:30 +0000 (GMT) Received: from mail.meangrape.com (mail.meangrape.com [209.223.7.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 925BD43D41 for ; Sun, 19 Dec 2004 20:48:29 +0000 (GMT) (envelope-from jay@meangrape.com) Received: (qmail 41231 invoked by uid 1002); 19 Dec 2004 20:48:50 -0000 Date: Sun, 19 Dec 2004 14:48:50 -0600 From: Jay To: Mbarrera Message-ID: <20041219204850.GG85464@mail.meangrape.com> Mail-Followup-To: Jay , Mbarrera , freebsd-pf@freebsd.org References: <41C5DA96.4000907@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41C5DA96.4000907@gmail.com> User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: pflogd not log X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jay List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 20:48:30 -0000 On Sun, Dec 19, 2004 at 04:46:30PM -0300, Mbarrera wrote: > # cat /var/log/messages > Dec 19 16:44:20 kernel: pflog0: promiscuous mode enabled > Dec 19 16:44:20 kernel: pflog0: promiscuous mode disabled I had the same problem when I first set up pflogd. IIRC, I needed to create the log file manually. `touch /var/log/pflog` Hope this helps. -- Jay. From owner-freebsd-pf@FreeBSD.ORG Tue Dec 21 00:40:44 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2680216A4CE for ; Tue, 21 Dec 2004 00:40:44 +0000 (GMT) Received: from msr68.hinet.net (msr68.hinet.net [168.95.4.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 760C143D31 for ; Tue, 21 Dec 2004 00:40:43 +0000 (GMT) (envelope-from distro.watch@msa.hinet.net) Received: from [192.168.0.128] (61-229-2-147.dynamic.hinet.net [61.229.2.147]) by msr68.hinet.net (8.9.3/8.9.3) with ESMTP id IAA29709 for ; Tue, 21 Dec 2004 08:40:41 +0800 (CST) From: Ladislav Bodnar Organization: DistroWatch.com To: freebsd-pf@freebsd.org Date: Tue, 21 Dec 2004 08:40:42 +0800 User-Agent: KMail/1.7.1 References: <200412171356.34608.distro.watch@msa.hinet.net> <20041217061437.GA5119@kt-is.co.kr> In-Reply-To: <20041217061437.GA5119@kt-is.co.kr> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412210840.42375.distro.watch@msa.hinet.net> Subject: Re: Can pf block illegal relay access attempts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 00:40:44 -0000 On Friday 17 December 2004 14:14, Pyun YongHyeon wrote: > On Fri, Dec 17, 2004 at 01:56:34PM +0800, Ladislav Bodnar wrote: > > Hi, > > > > Over the last 7 days my Postfix mail server received almost 80,000 > > requests to relay mail to a third destination. Since it is not an open > > relay, it rejected all these requests, but it is still annoying to see > > this happening. The requests came from varying (almost 20,000 > > different) IP addresses, but they had one thing in common - the > > destination address was always "$some-user-name"@infomagic.com. > > > > Is there a way to prevent these attempts to access the mail server at > > all? I only started using pf recently, so I still have a lot to learn, > > but I would appreciate any advice. Or is pf not the right tool for > > this? > > Try spamd in ports/mail. Thank you for your suggestion. I investigated spamd and found out that it blocks connections based on IP address only. Unfortunately, I generated almost 20,000 different IP addresses over the last 7 days, so I don't think the IP addresses I would block are valid. I am looking for a solution where a connection is refused based on the recipient's email address (which is always @infomagic.com). Basically I am wondering if pf can refused a connection based on some other criteria than IP address. Thanks a lot. From owner-freebsd-pf@FreeBSD.ORG Tue Dec 21 02:19:45 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC8EF16A4CE for ; Tue, 21 Dec 2004 02:19:45 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE75E43D1D for ; Tue, 21 Dec 2004 02:19:44 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id iBL2DpAh090855 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 21 Dec 2004 11:13:51 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.13.1/8.13.1) with ESMTP id iBL2Jh23004611 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 21 Dec 2004 11:19:43 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.13.1/8.13.1/Submit) id iBL2Jg5f004610; Tue, 21 Dec 2004 11:19:42 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Tue, 21 Dec 2004 11:19:42 +0900 From: Pyun YongHyeon To: Ladislav Bodnar Message-ID: <20041221021942.GA4468@kt-is.co.kr> References: <200412171356.34608.distro.watch@msa.hinet.net> <20041217061437.GA5119@kt-is.co.kr> <200412210840.42375.distro.watch@msa.hinet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200412210840.42375.distro.watch@msa.hinet.net> User-Agent: Mutt/1.4.2.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: Can pf block illegal relay access attempts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 02:19:45 -0000 On Tue, Dec 21, 2004 at 08:40:42AM +0800, Ladislav Bodnar wrote: > On Friday 17 December 2004 14:14, Pyun YongHyeon wrote: > > On Fri, Dec 17, 2004 at 01:56:34PM +0800, Ladislav Bodnar wrote: > > > Hi, > > > > > > Over the last 7 days my Postfix mail server received almost 80,000 > > > requests to relay mail to a third destination. Since it is not an open > > > relay, it rejected all these requests, but it is still annoying to see > > > this happening. The requests came from varying (almost 20,000 > > > different) IP addresses, but they had one thing in common - the > > > destination address was always "$some-user-name"@infomagic.com. > > > > > > Is there a way to prevent these attempts to access the mail server at > > > all? I only started using pf recently, so I still have a lot to learn, > > > but I would appreciate any advice. Or is pf not the right tool for > > > this? > > > > Try spamd in ports/mail. > > Thank you for your suggestion. > > I investigated spamd and found out that it blocks connections based on IP > address only. Unfortunately, I generated almost 20,000 different IP > addresses over the last 7 days, so I don't think the IP addresses I would > block are valid. I am looking for a solution where a connection is refused > based on the recipient's email address (which is always @infomagic.com). > > Basically I am wondering if pf can refused a connection based on some other > criteria than IP address. > As you said pf can filter based on IP address. The IP address information to be used comes from other criteria(e.g. greylisting or sender/recipeint's address, header information etc.) You may want to see Daniel's page. http://www.benzedrine.cx/relaydb.html Using 20,000 different IP address is no problem at all. You will never notice performance degradation and I believe pf's table is more efficient than userland database approach as far as IP address is concerned. Redirecting to spamd in order to waste the time of spam sender or blocking the connection from spammers IP address is up to you. > Thanks a lot. -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Wed Dec 22 01:55:09 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1220816A4CF for ; Wed, 22 Dec 2004 01:55:09 +0000 (GMT) Received: from postino-2.etat.lu (postino-2.etat.lu [194.154.205.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2FE343D4C for ; Wed, 22 Dec 2004 01:55:08 +0000 (GMT) (envelope-from didier.wiroth@mcesr.etat.lu) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by postino-2.etat.lu (Postfix) with ESMTP id 741C3D98FCB for ; Wed, 22 Dec 2004 02:55:07 +0100 (CET) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by localhost (CIE ESMTP Dispatch 1) with ESMTP id 80A2521467 for ; Wed, 22 Dec 2004 02:55:07 +0100 (CET) Received: from hermes-1.cie.etat.lu (hermes-1.cie.etat.lu [148.110.136.56]) 6E8D020FF4 for ; Wed, 22 Dec 2004 02:55:07 +0100 (CET) Received: from hermes-1.cie.etat.lu (hermes-1.cie.etat.lu [148.110.136.56]) by store.etat.lu (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0I9300GTNPBV8PB0@store.etat.lu> for freebsd-pf@freebsd.org; Wed, 22 Dec 2004 02:55:07 +0100 (MET) Received: from etat.lu ([148.110.136.56]) by store.etat.lu (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0I930079BPBV4K10@store.etat.lu> for freebsd-pf@freebsd.org; Wed, 22 Dec 2004 02:55:07 +0100 (MET) Received: from [192.168.2.43] (Forwarded-For: [158.64.124.113]) by store.etat.lu (mshttpd); Wed, 22 Dec 2004 02:55:07 +0100 Date: Wed, 22 Dec 2004 02:55:07 +0100 From: Didier Wiroth To: freebsd-pf@freebsd.org Message-id: <8e3f9722ef1.41c8e20b@etat.lu> MIME-version: 1.0 X-Mailer: Sun Java(tm) System Messenger Express 6.1 HotFix 0.05 (built Oct 21 2004) Content-type: text/plain; charset=us-ascii Content-language: fr Content-transfer-encoding: 7BIT Content-disposition: inline X-Accept-Language: fr Priority: normal Subject: pfS ftp-proxy binding to 127.0.0.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 01:55:09 -0000 HI, I'm still trying openbsd and freebsd. I'm setting a pppoe router , using pf and ftp-proxy. On openbsd you can bind ftp-proxy to the localhost address, openbsd's ftp-proxy only listens to 127.0.0.1 like this: 127.0.0.1:8021 On freebsd it listens on all ip addresses, here is the result of sockstat: root inetd 750 4 tcp4 *:8021 *:* I do understand that I can explicitly add a pf rule to deny or allow access to the proxy but to enforce security is it possible to bind ftp-proxy so that it only listens to the localhost. thx didier From owner-freebsd-pf@FreeBSD.ORG Wed Dec 22 19:16:05 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC33B16A4CE for ; Wed, 22 Dec 2004 19:16:05 +0000 (GMT) Received: from mxsf12.cluster1.charter.net (mxsf12.cluster1.charter.net [209.225.28.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5921643D53 for ; Wed, 22 Dec 2004 19:16:05 +0000 (GMT) (envelope-from pathiaki@pathiaki.com) Received: from mxip15.cluster1.charter.net (mxip15a.cluster1.charter.net [209.225.28.145])iBMJG494011302 for ; Wed, 22 Dec 2004 14:16:04 -0500 Received: from cpe-66-189-12-20.ma.charter.com (HELO pc4.atlantisservices.com) (66.189.12.20) by mxip15.cluster1.charter.net with ESMTP; 22 Dec 2004 14:16:03 -0500 X-Ironport-AV: i="3.88,82,1102309200"; d="scan'208"; a="657245681:sNHT14323230" From: "Paul J. Pathiakis" Organization: Pathiakis Home To: freebsd-pf@freebsd.org Date: Wed, 22 Dec 2004 14:12:00 -0500 User-Agent: KMail/1.7.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412221412.00770.pathiaki@pathiaki.com> Subject: Does the outgoing balance example work? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 19:16:06 -0000 Hi, I'm trying to get pf to load balance outgoing on two outbound lines (cable and dsl). My pf.conf is based on the example from the pf faq at www.openbsd.org. I've changed parameters to match my machine and I still can't get it to load balance outgoing connections on my machine. As soon as I enable the route-to rules for balancing, my web browser stops working and quite a few other utilities stop working. It connects to the site but the response never comes back. Is it possible that nat isn't working correctly? Is it possible that the return addresses aren't getting correctly set? How do I troubleshoot this? The example (below) seems pretty straight forward. I've enabled my pflog (made sure every filter is logging). I can check states with pfctl commands. I just can't see what's wrong. Is there anything that I'm missing (Please note that I changed the "default block all" to pass in all and pass out all. thanks! Paul P. lan_net = "192.168.0.0/24" int_if = "dc0" ext_if1 = "fxp0" ext_if2 = "fxp1" ext_gw1 = "68.146.224.1" ext_gw2 = "142.59.76.1" # nat outgoing connections on each internet interface nat on $ext_if1 from $lan_net to any -> ($ext_if1) nat on $ext_if2 from $lan_net to any -> ($ext_if2) # default deny #block in from any to any #block out from any to any pass in from any to any pass out from any to any # pass all outgoing packets on internal interface pass out on $int_if from any to $lan_net # pass in quick any packets destined for the gateway itself pass in quick on $int_if from $lan_net to $int_if # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any flags S/SA modulate state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { udp, icmp } from $lan_net to any keep state # general "pass out" rules for external interfaces pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any From owner-freebsd-pf@FreeBSD.ORG Wed Dec 22 19:20:43 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 380CE16A4CE for ; Wed, 22 Dec 2004 19:20:43 +0000 (GMT) Received: from mxsf17.cluster1.charter.net (mxsf17.cluster1.charter.net [209.225.28.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id C83F643D48 for ; Wed, 22 Dec 2004 19:20:42 +0000 (GMT) (envelope-from pathiaki@pathiaki.com) Received: from mxip11.cluster1.charter.net (mxip11a.cluster1.charter.net [209.225.28.141])iBMJKfAX030663 for ; Wed, 22 Dec 2004 14:20:41 -0500 Received: from cpe-66-189-12-20.ma.charter.com (HELO pc4.atlantisservices.com) (66.189.12.20) by mxip11.cluster1.charter.net with ESMTP; 22 Dec 2004 14:20:41 -0500 X-Ironport-AV: i="3.88,82,1102309200"; d="scan'208"; a="681302906:sNHT18070616" From: "Paul J. Pathiakis" Organization: Pathiakis Home To: freebsd-pf@freebsd.org Date: Wed, 22 Dec 2004 14:20:40 -0500 User-Agent: KMail/1.7.1 References: <200412221412.00770.pathiaki@pathiaki.com> In-Reply-To: <200412221412.00770.pathiaki@pathiaki.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412221420.40575.pathiaki@pathiaki.com> Subject: Re: Does the outgoing balance example work? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 19:20:43 -0000 BTW, I should mention that this is load balancing. According to my logs, traffic is going out both interfaces.... it's just not coming back. P. On Wednesday 22 December 2004 14:12, Paul J. Pathiakis wrote: > Hi, > > I'm trying to get pf to load balance outgoing on two outbound lines (cable and dsl). > My pf.conf is based on the example from the pf faq at www.openbsd.org. I've changed > parameters to match my machine and I still can't get it to load balance outgoing > connections on my machine. As soon as I enable the route-to rules for balancing, my > web browser stops working and quite a few other utilities stop working. It connects > to the site but the response never comes back. Is it possible that nat isn't working > correctly? Is it possible that the return addresses aren't getting correctly set? > How do I troubleshoot this? The example (below) seems pretty straight forward. > I've enabled my pflog (made sure every filter is logging). > I can check states with pfctl commands. I just can't see what's wrong. Is there anything > that I'm missing (Please note that I changed the "default block all" to pass in all and pass > out all. > > thanks! > > Paul P. > > lan_net = "192.168.0.0/24" > int_if = "dc0" > ext_if1 = "fxp0" > ext_if2 = "fxp1" > ext_gw1 = "68.146.224.1" > ext_gw2 = "142.59.76.1" > > # nat outgoing connections on each internet interface > nat on $ext_if1 from $lan_net to any -> ($ext_if1) > nat on $ext_if2 from $lan_net to any -> ($ext_if2) > > # default deny > #block in from any to any > #block out from any to any > pass in from any to any > pass out from any to any > > # pass all outgoing packets on internal interface > pass out on $int_if from any to $lan_net > > # pass in quick any packets destined for the gateway itself > pass in quick on $int_if from $lan_net to $int_if > > # load balance outgoing tcp traffic from internal network. > pass in on $int_if route-to \ > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ > proto tcp from $lan_net to any flags S/SA modulate state > # load balance outgoing udp and icmp traffic from internal network > pass in on $int_if route-to \ > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ > proto { udp, icmp } from $lan_net to any keep state > > # general "pass out" rules for external interfaces > pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state > pass out on $ext_if1 proto { udp, icmp } from any to any keep state > pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state > pass out on $ext_if2 proto { udp, icmp } from any to any keep state > > # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for > # $ext_if2 and $ext_gw2 > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Thu Dec 23 06:05:15 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4943F16A4CF for ; Thu, 23 Dec 2004 06:05:15 +0000 (GMT) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id C67D343D6D for ; Thu, 23 Dec 2004 06:05:14 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-1.free.fr (Postfix) with ESMTP id 9F86323B7D3; Thu, 23 Dec 2004 07:05:12 +0100 (CET) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id B332D40BC; Thu, 23 Dec 2004 07:05:27 +0100 (CET) Date: Thu, 23 Dec 2004 07:05:26 +0100 From: Jeremie Le Hen To: Didier Wiroth Message-ID: <20041223060526.GH675@obiwan.tataz.chchile.org> References: <8e3f9722ef1.41c8e20b@etat.lu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8e3f9722ef1.41c8e20b@etat.lu> User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: pfS ftp-proxy binding to 127.0.0.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2004 06:05:15 -0000 On Wed, Dec 22, 2004 at 02:55:07AM +0100, Didier Wiroth wrote: > HI, > I'm still trying openbsd and freebsd. > > I'm setting a pppoe router , using pf and ftp-proxy. > On openbsd you can bind ftp-proxy to the localhost address, openbsd's > ftp-proxy only listens to 127.0.0.1 like this: > 127.0.0.1:8021 > > On freebsd it listens on all ip addresses, here is the result of sockstat: > root inetd 750 4 tcp4 *:8021 *:* > > I do understand that I can explicitly add a pf rule to deny or allow > access to the proxy but to enforce security is it possible to bind > ftp-proxy so that it only listens to the localhost. This may be a bit off-topic, but you may want to have a look at a new FTP proxy for pf(4): pftpx http://marc.theaimsgroup.com/?l=openbsd-misc&m=110129991118018&w=2 Regards, -- Jeremie Le Hen jeremie@le-hen.org From owner-freebsd-pf@FreeBSD.ORG Thu Dec 23 11:28:46 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6235316A4CF for ; Thu, 23 Dec 2004 11:28:46 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A2FC43D2F for ; Thu, 23 Dec 2004 11:28:45 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ChR9A-0002rk-00; Thu, 23 Dec 2004 12:28:44 +0100 Received: from [217.83.15.89] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1ChR99-0006c1-00; Thu, 23 Dec 2004 12:28:44 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 23 Dec 2004 12:28:05 +0100 User-Agent: KMail/1.7.1 References: <200412221412.00770.pathiaki@pathiaki.com> <200412221420.40575.pathiaki@pathiaki.com> In-Reply-To: <200412221420.40575.pathiaki@pathiaki.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart20827099.9cLZ0qOaxj"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412231228.20068.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: Does the outgoing balance example work? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2004 11:28:46 -0000 --nextPart20827099.9cLZ0qOaxj Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 22 December 2004 20:20, Paul J. Pathiakis wrote: > BTW, I should mention that this is load balancing. According to my logs, > traffic is going out both interfaces.... it's just not coming back. Can you provide me (off-list if you prefer) with some tcpdump logs from bot= h=20 outgoing interfaces? The output of $pfctl -vvsr and $pfctl -vvsn would also= =20 be interesting. > P. > > On Wednesday 22 December 2004 14:12, Paul J. Pathiakis wrote: > > Hi, > > > > I'm trying to get pf to load balance outgoing on two outbound lines > > (cable and dsl). My pf.conf is based on the example from the pf faq at > > www.openbsd.org. I've changed parameters to match my machine and I sti= ll > > can't get it to load balance outgoing connections on my machine. As so= on > > as I enable the route-to rules for balancing, my web browser stops > > working and quite a few other utilities stop working. It connects to t= he > > site but the response never comes back. Is it possible that nat isn't > > working correctly? Is it possible that the return addresses aren't > > getting correctly set? How do I troubleshoot this? The example (below) > > seems pretty straight forward. I've enabled my pflog (made sure every > > filter is logging). > > I can check states with pfctl commands. I just can't see what's wrong.= =20 > > Is there anything that I'm missing (Please note that I changed the > > "default block all" to pass in all and pass out all. > > > > thanks! > > > > Paul P. > > > > lan_net =3D "192.168.0.0/24" > > int_if =3D "dc0" > > ext_if1 =3D "fxp0" > > ext_if2 =3D "fxp1" > > ext_gw1 =3D "68.146.224.1" > > ext_gw2 =3D "142.59.76.1" > > > > # nat outgoing connections on each internet interface > > nat on $ext_if1 from $lan_net to any -> ($ext_if1) > > nat on $ext_if2 from $lan_net to any -> ($ext_if2) > > > > # default deny > > #block in from any to any > > #block out from any to any > > pass in from any to any > > pass out from any to any > > > > # pass all outgoing packets on internal interface > > pass out on $int_if from any to $lan_net > > > > # pass in quick any packets destined for the gateway itself > > pass in quick on $int_if from $lan_net to $int_if > > > > # load balance outgoing tcp traffic from internal network. > > pass in on $int_if route-to \ > > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ > > proto tcp from $lan_net to any flags S/SA modulate state > > # load balance outgoing udp and icmp traffic from internal network > > pass in on $int_if route-to \ > > { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ > > proto { udp, icmp } from $lan_net to any keep state > > > > # general "pass out" rules for external interfaces > > pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state > > pass out on $ext_if1 proto { udp, icmp } from any to any keep state > > pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state > > pass out on $ext_if2 proto { udp, icmp } from any to any keep state > > > > # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for > > # $ext_if2 and $ext_gw2 > > pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any > > pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any > > > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart20827099.9cLZ0qOaxj Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBByqvUXyyEoT62BG0RAldDAJ9ey/56o4OKGss8ei6MApwPN8PgqgCfTzly Z2fPvoHmWzna/BdPvUoqpn8= =/pbu -----END PGP SIGNATURE----- --nextPart20827099.9cLZ0qOaxj-- From owner-freebsd-pf@FreeBSD.ORG Thu Dec 23 11:31:46 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CDD616A4CE for ; Thu, 23 Dec 2004 11:31:46 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1109C43D39 for ; Thu, 23 Dec 2004 11:31:46 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.206] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ChRC5-0005yc-00; Thu, 23 Dec 2004 12:31:45 +0100 Received: from [217.83.15.89] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1ChRC4-0007PY-00; Thu, 23 Dec 2004 12:31:44 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 23 Dec 2004 12:31:41 +0100 User-Agent: KMail/1.7.1 References: <8e3f9722ef1.41c8e20b@etat.lu> In-Reply-To: <8e3f9722ef1.41c8e20b@etat.lu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1269397.G8jI1nBnKt"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412231231.42864.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: pfS ftp-proxy binding to 127.0.0.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2004 11:31:46 -0000 --nextPart1269397.G8jI1nBnKt Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 22 December 2004 02:55, Didier Wiroth wrote: > HI, > I'm still trying openbsd and freebsd. > > I'm setting a pppoe router , using pf and ftp-proxy. > On openbsd you can bind ftp-proxy to the localhost address, openbsd's > ftp-proxy only listens to 127.0.0.1 like this: 127.0.0.1:8021 > > On freebsd it listens on all ip addresses, here is the result of sockstat: > root inetd 750 4 tcp4 *:8021 *:* > > I do understand that I can explicitly add a pf rule to deny or allow > access to the proxy but to enforce security is it possible to bind > ftp-proxy so that it only listens to the localhost. This is not so much a problem with ftp-proxy(8), but with the FreeBSD=20 inetd(8). You might want to try ports/security/xinetd instead. It will give= =20 you a "replacement for inetd with better control and logging" as the port's= =20 description tells. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1269397.G8jI1nBnKt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBByqyeXyyEoT62BG0RApJGAJ9yBKTN4y934J0/DVIgNw0ar2e8owCggL4k Ps0BnTc0aHiMhdd6XQUYanE= =AB3c -----END PGP SIGNATURE----- --nextPart1269397.G8jI1nBnKt-- From owner-freebsd-pf@FreeBSD.ORG Thu Dec 23 17:28:44 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08D5916A4CE for ; Thu, 23 Dec 2004 17:28:44 +0000 (GMT) Received: from postino-1.etat.lu (postino-1.etat.lu [194.154.205.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E56043D45 for ; Thu, 23 Dec 2004 17:28:43 +0000 (GMT) (envelope-from didier.wiroth@mcesr.etat.lu) Received: from avirus-2.cie.etat.lu (dispatch-2.cie.etat.lu [148.110.137.7]) by postino-1.etat.lu (Postfix) with ESMTP id 53EA7113C3FF for ; Thu, 23 Dec 2004 18:28:41 +0100 (CET) Received: from avirus-2.cie.etat.lu (dispatch-2.cie.etat.lu [148.110.137.7]) by localhost (CIE ESMTP Dispatch 2) with ESMTP id 43A2C33B6E for ; Thu, 23 Dec 2004 18:28:41 +0100 (CET) Received: from hermes-1.cie.etat.lu (hermes-1.cie.etat.lu [148.110.136.56]) 31E82338C1 for ; Thu, 23 Dec 2004 18:28:41 +0100 (CET) Received: from hermes-1.cie.etat.lu (hermes-1.cie.etat.lu [148.110.136.56]) by store.etat.lu (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0I9600858R7TBW20@store.etat.lu> for freebsd-pf@freebsd.org; Thu, 23 Dec 2004 18:28:41 +0100 (MET) Received: from etat.lu ([148.110.136.56]) by store.etat.lu (Sun Java System Messaging Server 6.1 HotFix 0.05 (built Oct 21 2004)) with ESMTP id <0I96008Y9R7THE00@store.etat.lu> for freebsd-pf@freebsd.org; Thu, 23 Dec 2004 18:28:41 +0100 (MET) Received: from [192.168.2.43] (Forwarded-For: [158.64.124.55]) by store.etat.lu (mshttpd); Thu, 23 Dec 2004 18:28:41 +0100 Date: Thu, 23 Dec 2004 18:28:41 +0100 From: Didier Wiroth To: freebsd-pf@freebsd.org Message-id: <2e5ff705f48.41cb0e59@etat.lu> MIME-version: 1.0 X-Mailer: Sun Java(tm) System Messenger Express 6.1 HotFix 0.05 (built Oct 21 2004) Content-type: text/plain; charset=us-ascii Content-language: fr Content-transfer-encoding: 7BIT Content-disposition: inline X-Accept-Language: fr Priority: normal Subject: new passiv ftp /ftp-proxy problem. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2004 17:28:44 -0000 Hi, I'm trying different pf.conf for my home router. I would like to change my actual pf.conf to a default "block all" policy and explicitly allow/open the ports I need. How do you have to modify the below pf.conf sample to allow passiv ftp, is this even possible? Please keep in mind that I want to keep the default "block all". I would like to use ftp-proxy started from inetd like this: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180 As a test, I created a very simple pf.conf, which actually doesn't work: #variables int_if="sis0" ext_if="tun0" # options set block-policy return set loginterface $ext_if # nat on $ext_if from $int_if:network to any -> ($ext_if) static-port rdr on $int_if proto tcp from !$ext_if to !$int_if:network port ftp -> 127.0.0.1 port ftp-proxy pass quick on lo0 all block log-all all #ftp connections pass in on $int_if inet proto tcp from $int_if:network to { $int_if, localhost } port ftp-proxy keep state pass out on $ext_if inet proto tcp from $ext_if to any port ftp keep state user proxy -----------------end snip ---------------- Why isn't this working? Thx a lot From owner-freebsd-pf@FreeBSD.ORG Thu Dec 23 19:32:40 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D896F16A4CE for ; Thu, 23 Dec 2004 19:32:40 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0ADD543D2F for ; Thu, 23 Dec 2004 19:32:40 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.179] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ChYhS-0004Ee-00; Thu, 23 Dec 2004 20:32:38 +0100 Received: from [217.83.15.89] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1ChYhS-0004A2-00; Thu, 23 Dec 2004 20:32:38 +0100 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 23 Dec 2004 20:32:34 +0100 User-Agent: KMail/1.7.1 References: <2e5ff705f48.41cb0e59@etat.lu> In-Reply-To: <2e5ff705f48.41cb0e59@etat.lu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1643264.AoPFmoflAK"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412232032.36565.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Didier Wiroth Subject: Re: new passiv ftp /ftp-proxy problem. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2004 19:32:41 -0000 --nextPart1643264.AoPFmoflAK Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 23 December 2004 18:28, Didier Wiroth wrote: > Hi, > > I'm trying different pf.conf for my home router. I would like to change > my actual pf.conf to a default "block all" policy and explicitly > allow/open the ports I need. > > How do you have to modify the below pf.conf sample to allow passiv ftp, is > this even possible? Please keep in mind that I want to keep the default > "block all". > > I would like to use ftp-proxy started from inetd like this: > ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy=20 > ftp-proxy -u proxy -m 55000 -M 57000 -t 180 > > As a test, I created a very simple pf.conf, which actually doesn't work: > #variables > int_if=3D"sis0" > ext_if=3D"tun0" > > # options > set block-policy return > set loginterface $ext_if > > # > nat on $ext_if from $int_if:network to any -> ($ext_if) static-port > rdr on $int_if proto tcp from !$ext_if to !$int_if:network port ftp -> > 127.0.0.1 port ftp-proxy > > pass quick on lo0 all > block log-all all > > #ftp connections > pass in on $int_if inet proto tcp from $int_if:network to \ > { $int_if, localhost } port ftp-proxy keep state=20 > pass out on $ext_if inet proto tcp from $ext_if to any port ftp \ > keep state user proxy =20 Add at least: pass in on $ext_if inet proto tcp from any to ($ext_if) port 55000:57000 \ keep state user proxy > > -----------------end snip ---------------- > Why isn't this working? You can also watch "$tcpdump -n -e -ttt -i pflog0" to see what is dropped. = You=20 will quickly figure what belongs to your ftp connection and what you need t= o=20 enable. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1643264.AoPFmoflAK Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBByx1UXyyEoT62BG0RAs1XAJsGVHoO1Vo/NN2cd5G9VfgSK7kx3gCffUEv belCytQWNqrE6/gqdn3Lz6M= =d1GR -----END PGP SIGNATURE----- --nextPart1643264.AoPFmoflAK--