Date: Thu, 23 Dec 2004 18:28:41 +0100 From: Didier Wiroth <didier.wiroth@mcesr.etat.lu> To: freebsd-pf@freebsd.org Subject: new passiv ftp /ftp-proxy problem. Message-ID: <2e5ff705f48.41cb0e59@etat.lu>
next in thread | raw e-mail | index | archive | help
Hi,
I'm trying different pf.conf for my home router. I would like to change my actual pf.conf to a default "block all" policy and explicitly allow/open the ports I need.
How do you have to modify the below pf.conf sample to allow passiv ftp, is this even possible? Please keep in mind that I want to keep the default "block all".
I would like to use ftp-proxy started from inetd like this:
ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180
As a test, I created a very simple pf.conf, which actually doesn't work:
#variables
int_if="sis0"
ext_if="tun0"
# options
set block-policy return
set loginterface $ext_if
#
nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
rdr on $int_if proto tcp from !$ext_if to !$int_if:network port ftp -> 127.0.0.1 port ftp-proxy
pass quick on lo0 all
block log-all all
#ftp connections
pass in on $int_if inet proto tcp from $int_if:network to { $int_if, localhost } port ftp-proxy keep state
pass out on $ext_if inet proto tcp from $ext_if to any port ftp keep state user proxy
-----------------end snip ----------------
Why isn't this working?
Thx a lot
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2e5ff705f48.41cb0e59>