From owner-freebsd-pf@FreeBSD.ORG Fri Jan 8 13:51:34 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B86C1065692 for ; Fri, 8 Jan 2010 13:51:34 +0000 (UTC) (envelope-from m.keith.thompson@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 26E7B8FC1B for ; Fri, 8 Jan 2010 13:51:33 +0000 (UTC) Received: by bwz5 with SMTP id 5so12360868bwz.3 for ; Fri, 08 Jan 2010 05:51:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=dRxAdc4qnOs1HpG0/yYhqONRMO9CLPC5LeIyPi4M2mY=; b=GbUM3X50HkrtSwyInSzBMHRjp61OxaCW2U0g9qjF18pEhUjDgrGZUIEfYuMrKgG6ly VyKnpBTQAfv2s4wVrt3CwKuVjvD3XS6Yw1wePbZvI7281q9kvWAs2xPiRUOHJnVXpECp D/1Mq11SN/ECEsrRV55q0JZCYF76k7b/BSmsE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Q1RDC1Hd+w6LW7HCxjLGqUclgV6tdOvhBYUTrt7I0Qn+LlX+YF3p7Ndr/Xom3eZeXy 7Fzi4tjfyLJSoJYxZ8k6Gem/bCW+gNj/Znwd5/rj4Dj0lhxg3VsCSH2npxLdhGbhbCLc h3emAi0o0HHK9QUGNb+x72RoWKBewcPPDpn9Q= MIME-Version: 1.0 Received: by 10.204.49.79 with SMTP id u15mr5780860bkf.117.1262958690432; Fri, 08 Jan 2010 05:51:30 -0800 (PST) In-Reply-To: <19861fba1001072018g115a0bccrf9510a38454cc9db@mail.gmail.com> References: <7731938b1001060923n5de4b511of07b8c63cff4e011@mail.gmail.com> <2cf1d0681001071216p6b516e9egcf7401f2b38e3c3d@mail.gmail.com> <19861fba1001071237ncc440d5u1ab280d2aaf0c72f@mail.gmail.com> <19861fba1001072018g115a0bccrf9510a38454cc9db@mail.gmail.com> Date: Fri, 8 Jan 2010 07:51:30 -0600 Message-ID: From: "M. Keith Thompson" To: J65nko Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: ftp problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2010 13:51:34 -0000 On Thu, Jan 7, 2010 at 10:18 PM, J65nko wrote: > On Thu, Jan 7, 2010 at 10:19 PM, M. Keith Thompson > wrote: >> On Thu, Jan 7, 2010 at 2:37 PM, J65nko wrote: >>>> # SSH from NetEng subnet >>>> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port >>>> 22 keep state >>>> >>>> # Allow inside network to ping the server >>>> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep stat= e >>>> >>>> # Allow DNS lookups >>>> pass out quick on $ext_if proto udp to any port 53 >>>> pass out quick on $ext_if proto tcp to any port 53 keep state >>>> >>>> # Allow ftp >>>> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep st= ate >>>> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 ke= ep state >>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP >>>> port 20 keep state >>>> >>>> --- end of pf.conf =A0---------------------- > > With ftp the client initiates the ftp command channel > =A0 client:port >1023 =A0 ---> server:port 21 > > The passive ftp data channel is initiated by the client > =A0 =A0client:port >1023 =A0---> server:port>1023 > > Your second rule takes care of this > > The active ftp data channel is initiated by the ftp server > using and that is kind of weird, port 20 (ftp-data), as source port. > =A0 =A0 =A0server:port 20 =A0 ---> clientLport >1023 > > You meant to pass active ftp with this rule: > >>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP >>>> port 20 keep state > > But it should be: > =A0 =A0pass out quick on $ext_if inet proto tcp from any port ftp-data > =A0 =A0to $ext_IP port > 10000 keep state I will make that change > BTW you have a nice pf debug friendly "block log all" default policy. > Does "tcpdump -eni pflog0" on the pf box show any blocked packets? tcpdump of the pflog0 does not show any packets from or to the IP in questi= on. > RE: ftp-proxy > This just adds complexitiy, after everything is working you could add it = in. > > RE: active ftp user requirement > Yes, I understand, it is the users who help us pay our mortgage ;) >