From owner-freebsd-pf@FreeBSD.ORG Thu Jan 7 21:19:56 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C46361065670 for ; Thu, 7 Jan 2010 21:19:56 +0000 (UTC) (envelope-from m.keith.thompson@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 53BC98FC08 for ; Thu, 7 Jan 2010 21:19:55 +0000 (UTC) Received: by bwz5 with SMTP id 5so12026973bwz.3 for ; Thu, 07 Jan 2010 13:19:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=g0EfjdyM4F7yAeqhgIWpSzMRj4ppUgm65iU6KTrUi8U=; b=jeWOyW5DbLbeFPgewtodNme6+RqGNX0X9XgQY0r6WFe1OFxuQ3kMFhNd2RnrILOswo 8lNbJO+20naGERByz++nsYnF11MNOp2OVMwpP4MhqxYR+Ty2OjwrfCMpmTrvdraB2Cbg L2OSAg7t6rxW9OIDkLzI7qIPgDKDHIjNOD+b4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=jhr7go4FGsEOWm+9g6Yp3usAkGjTbgFeiW5Wv4Iy6Vk+ngd75m/r8DTi+H5VzKvpuO 4k3hFZxNNWIzD7pW/a91zEOfKUgxzXM7bHe+AkuH9OwcL0WqW/TdqOQMXIlF0Sv6x5Oy ZVEJ7tm0ipiXWstKnVUkXddopvg6uG61I9rAg= MIME-Version: 1.0 Received: by 10.204.18.212 with SMTP id x20mr3680702bka.9.1262899191908; Thu, 07 Jan 2010 13:19:51 -0800 (PST) In-Reply-To: <19861fba1001071237ncc440d5u1ab280d2aaf0c72f@mail.gmail.com> References: <7731938b1001060923n5de4b511of07b8c63cff4e011@mail.gmail.com> <2cf1d0681001071216p6b516e9egcf7401f2b38e3c3d@mail.gmail.com> <19861fba1001071237ncc440d5u1ab280d2aaf0c72f@mail.gmail.com> Date: Thu, 7 Jan 2010 15:19:50 -0600 Message-ID: From: "M. Keith Thompson" To: J65nko , freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: ftp problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 21:19:56 -0000 On Thu, Jan 7, 2010 at 2:37 PM, J65nko wrote: >> # SSH from NetEng subnet >> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port >> 22 keep state >> >> # Allow inside network to ping the server >> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state >> >> # Allow DNS lookups >> pass out quick on $ext_if proto udp to any port 53 >> pass out quick on $ext_if proto tcp to any port 53 keep state >> >> # Allow ftp >> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep stat= e >> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep= state >> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP >> port 20 keep state >> >> --- end of pf.conf =A0---------------------- > > To prevent problems with TCP window scaling you should create state on > only the first packet > of the 3 way TCP handshake, the packet with only the Syn flag set. > > With pf you do this by using 'keep state flags S/SA". > > This TCP window scaling issue is explained by Daniel Hartmeier, pf > hacker, in http://undeadly.org/cgi?action=3Darticle&sid=3D20060928081238 > under the section > "Create TCP states on the initial SYN packet" > > BTW I wonder why you don't use the pf ftp-proxy, and why you allow > active ftp transfers ;) > Changed the three ftp pass rules to "flags S/SA"; still no love. I was not using the proxy because there is no NAT involved. I will try adding the pf ftp-proxy. I am forced by user requirments to allow active transfers. Thanks for all of the input!