Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 7 Jan 2010 15:19:50 -0600
From:      "M. Keith Thompson" <m.keith.thompson@gmail.com>
To:        J65nko <j65nko@gmail.com>, freebsd-pf@freebsd.org
Subject:   Re: ftp problem
Message-ID:  <fc2243911001071319q4bbbc4a6o6b58031bba59c39b@mail.gmail.com>
In-Reply-To: <19861fba1001071237ncc440d5u1ab280d2aaf0c72f@mail.gmail.com>
References:  <fc2243911001060809m5417b810vf2ed40c8a969fb5f@mail.gmail.com> <7731938b1001060923n5de4b511of07b8c63cff4e011@mail.gmail.com> <fc2243911001060957n16f906f7m703c696b970e8c3c@mail.gmail.com> <2cf1d0681001071216p6b516e9egcf7401f2b38e3c3d@mail.gmail.com> <19861fba1001071237ncc440d5u1ab280d2aaf0c72f@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 7, 2010 at 2:37 PM, J65nko <j65nko@gmail.com> wrote:
>> # SSH from NetEng subnet
>> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port
>> 22 keep state
>>
>> # Allow inside network to ping the server
>> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state
>>
>> # Allow DNS lookups
>> pass out quick on $ext_if proto udp to any port 53
>> pass out quick on $ext_if proto tcp to any port 53 keep state
>>
>> # Allow ftp
>> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep stat=
e
>> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep=
 state
>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
>> port 20 keep state
>>
>> --- end of pf.conf =A0----------------------
>
> To prevent problems with TCP window scaling you should create state on
> only the first packet
> of the 3 way TCP handshake, the packet with only the Syn flag set.
>
> With pf you do this by using 'keep state flags S/SA".
>
> This TCP window scaling issue is explained by Daniel Hartmeier, pf
> hacker, in http://undeadly.org/cgi?action=3Darticle&sid=3D20060928081238
> under the section
> "Create TCP states on the initial SYN packet"
>
> BTW I wonder why you don't use the pf ftp-proxy, and why you allow
> active ftp transfers ;)
>

Changed the three ftp pass rules to "flags S/SA"; still no love.
I was not using the proxy because there is no NAT involved. I will try
adding the pf ftp-proxy.
I am forced by user requirments to allow active transfers.

Thanks for all of the input!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fc2243911001071319q4bbbc4a6o6b58031bba59c39b>