From owner-freebsd-pf@FreeBSD.ORG Tue May 29 10:10:12 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7B2A416A4D1 for ; Tue, 29 May 2007 10:10:12 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id 3918613C44B for ; Tue, 29 May 2007 10:10:12 +0000 (UTC) (envelope-from almarrie@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so566552anc for ; Tue, 29 May 2007 03:10:11 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jLtwVZkX4/RrAwxdVv/Bq+ujpZrtR+zrwp7JJBMMI4tttuD/ZSSKxT/IVofvRnW+0Kxospy++jRQK1+zlg63JV8e2HUOY0I3P1EA6ybJgNwlbN0k8AKSmNPR9Ve+nc/2Zc0Dw3hl7WZssaLAqwusd/fNyINBK9vU0kH97ekolxg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QFCjOBxIu2rCTWD6+5tQkwWRjWgqVPM0bFzD1xEduQxlXr6/P825DckWBUUNLmjh4SuS2lrexY5t4q2V5/Q8HZwnFQpA8ILIVI2C1PzLsK02Q0kPPYpvBcGmNu+AssA6n+0G9/0x2S+qjXfuy+D9jEZeFDq5/h82u/Qmzl1x9I0= Received: by 10.100.253.12 with SMTP id a12mr5051056ani.1180433411418; Tue, 29 May 2007 03:10:11 -0700 (PDT) Received: by 10.100.9.14 with HTTP; Tue, 29 May 2007 03:10:11 -0700 (PDT) Message-ID: <499c70c0705290310r125510f3ibba97895bcd105c9@mail.gmail.com> Date: Tue, 29 May 2007 13:10:11 +0300 From: "Abdullah Ibn Hamad Al-Marri" To: "zhouyi zhou" In-Reply-To: <20070529171917.23c348f6.zhouzhouyi@ercist.iscas.ac.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <007001c7a122$38fd41b0$1c024dd2@iosdf17a8152bc> <465BED72.6090100@vwsoft.com> <20070529171917.23c348f6.zhouzhouyi@ercist.iscas.ac.cn> Cc: Volker , freebsd-pf@freebsd.org Subject: Re: have anyone configured "synproxy state" beforce X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 10:10:12 -0000 On 5/29/07, zhouyi zhou wrote: > Dear Mr. Volker > Thank you very much > Zelest persuade me add a "set skip on lo0". > That becomes: > set skip on lo0 > pass in quick on rl0 proto tcp from any to any port=21 flags S/SA synproxy stat\e > Sincerely yours > Zhouyi Zhou > On Tue, 29 May 2007 11:08:02 +0200 > Volker wrote: > > > On 05/28/07 14:17, Zhouyi Zhou wrote: > > > high everyone,( in pariticular Max :-)) > > > The configuration line in my pf.conf is: > > > pass in quick on lo0 proto tcp from any to any port 21 flags S/SA synproxy > > > state > > > > > > But: > > > the connection is established, but the control did not seams to pass to the > > > ftpd > > > Sincerely yours > > > Zhouyi Zhou > > > > Zhouyi, > > > > security@ is the wrong mailing list. Please post questions like this > > to pf@. > > > > I'm wondering where this traffic originates? You're using interface > > lo0 which will (most likely) be used for traffic on the local machine > > but you should not find much traffic on that interface from other hosts. > > > > As you're using 21/tcp I assume you're playing with ftp traffic. Ftp > > is not just using that single (control) port but a pair of 21/tcp and > > a dynamic allocated port. You have to pass that traffic, too or > > otherwise no data communication will be established. Also it is most > > likely that you will have to use an FTP proxy. > > > > I suspect your whole problem is really not synproxy related. > > > > HTH > > > > Volker > > > > > > > (Sorry for the previouly base64 encode mail caused by M$ outlook) > > PS: FreeBSD is also great for workstations! :) Please make sure you fix the typos in your rule it's state and not stat\e pass in quick on rl0 proto tcp from any to any port=21 flags S/SA synproxy state As for Volker he is a real helpful guy, thank you Volker :) -- Regards, -Abdullah Ibn Hamad Al-Marri Arab Portal http://www.WeArab.Net/