Date: Thu, 23 Dec 2004 18:28:41 +0100 From: Didier Wiroth <didier.wiroth@mcesr.etat.lu> To: freebsd-pf@freebsd.org Subject: new passiv ftp /ftp-proxy problem. Message-ID: <2e5ff705f48.41cb0e59@etat.lu>
next in thread | raw e-mail | index | archive | help
Hi, I'm trying different pf.conf for my home router. I would like to change my actual pf.conf to a default "block all" policy and explicitly allow/open the ports I need. How do you have to modify the below pf.conf sample to allow passiv ftp, is this even possible? Please keep in mind that I want to keep the default "block all". I would like to use ftp-proxy started from inetd like this: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180 As a test, I created a very simple pf.conf, which actually doesn't work: #variables int_if="sis0" ext_if="tun0" # options set block-policy return set loginterface $ext_if # nat on $ext_if from $int_if:network to any -> ($ext_if) static-port rdr on $int_if proto tcp from !$ext_if to !$int_if:network port ftp -> 127.0.0.1 port ftp-proxy pass quick on lo0 all block log-all all #ftp connections pass in on $int_if inet proto tcp from $int_if:network to { $int_if, localhost } port ftp-proxy keep state pass out on $ext_if inet proto tcp from $ext_if to any port ftp keep state user proxy -----------------end snip ---------------- Why isn't this working? Thx a lot
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2e5ff705f48.41cb0e59>