Date: Thu, 23 Dec 2004 20:32:34 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Didier Wiroth <didier.wiroth@mcesr.etat.lu> Subject: Re: new passiv ftp /ftp-proxy problem. Message-ID: <200412232032.36565.max@love2party.net> In-Reply-To: <2e5ff705f48.41cb0e59@etat.lu> References: <2e5ff705f48.41cb0e59@etat.lu>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1643264.AoPFmoflAK
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Thursday 23 December 2004 18:28, Didier Wiroth wrote:
> Hi,
>
> I'm trying different pf.conf for my home router. I would like to change
> my actual pf.conf to a default "block all" policy and explicitly
> allow/open the ports I need.
>
> How do you have to modify the below pf.conf sample to allow passiv ftp, is
> this even possible? Please keep in mind that I want to keep the default
> "block all".
>
> I would like to use ftp-proxy started from inetd like this:
> ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy=20
> ftp-proxy -u proxy -m 55000 -M 57000 -t 180
>
> As a test, I created a very simple pf.conf, which actually doesn't work:
> #variables
> int_if=3D"sis0"
> ext_if=3D"tun0"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> #
> nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
> rdr on $int_if proto tcp from !$ext_if to !$int_if:network port ftp ->
> 127.0.0.1 port ftp-proxy
>
> pass quick on lo0 all
> block log-all all
>
> #ftp connections
> pass in on $int_if inet proto tcp from $int_if:network to \
> { $int_if, localhost } port ftp-proxy keep state=20
> pass out on $ext_if inet proto tcp from $ext_if to any port ftp \
> keep state user proxy =20
Add at least:
pass in on $ext_if inet proto tcp from any to ($ext_if) port 55000:57000 \
keep state user proxy
>
> -----------------end snip ----------------
> Why isn't this working?
You can also watch "$tcpdump -n -e -ttt -i pflog0" to see what is dropped. =
You=20
will quickly figure what belongs to your ftp connection and what you need t=
o=20
enable.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart1643264.AoPFmoflAK
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQBByx1UXyyEoT62BG0RAs1XAJsGVHoO1Vo/NN2cd5G9VfgSK7kx3gCffUEv
belCytQWNqrE6/gqdn3Lz6M=
=d1GR
-----END PGP SIGNATURE-----
--nextPart1643264.AoPFmoflAK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412232032.36565.max>