Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Apr 2012 21:16:02 +0800
From:      Denny Lin <dennylin93@hs.ntnu.edu.tw>
To:        Hasse Hansson <fbsd@thorshammare.org>
Cc:        'FreeBSD doc' <freebsd-doc@freebsd.org>, 'Fbsd8' <fbsd8@a1poweruser.com>, 'FreeBSD Questions' <freebsd-questions@freebsd.org>, 'FreeBSD Current' <freebsd-current@freebsd.org>
Subject:   Re: SV: pf firewall and ftp
Message-ID:  <20120416131602.GC43550@mail.hs.ntnu.edu.tw>
In-Reply-To: <000b01cd1ba4$17435e90$45ca1bb0$@org>
References:  <4F8AF6C8.4010703@a1poweruser.com> <4F8B846D.3050809@a1poweruser.com> <000b01cd1ba4$17435e90$45ca1bb0$@org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Mon, Apr 16, 2012 at 09:39:38AM +0200, Hasse Hansson wrote:
> To solve the ftp pre 4.7 part, you can start reading here
> http://home.nuug.no/~peter/pf/en/long-firewall.html#FTPPROBLEM
> 
> /Hasse
> -----Oprindelig meddelelse-----
> Fra: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org] På vegne af Fbsd8
> Sendt: den 16 april 2012 04:31
> Til: FreeBSD Questions; FreeBSD Current; FreeBSD doc
> Emne: Re: pf firewall and ftp
> 
> Fbsd8 wrote:
> > Running 9.0 as a gateway host with pf firewall enabled.
> > FTP is launched by inetd.
> > Both active and passive ftp works from lan pc's to the host ftp.
> > The lan ftp session can be initiated from the host or any lan pc and 
> > things work because there are no rules on the lan interface except 
> > single pass all rule.
> > 
> > But I can not do host initiated or lan initiated ftp sessions to the 
> > public internet. Get "operation not permitted" message. Tried to setup 
> > ftp-proxy per openbsd pf manual without any joy.
> > 
> > Looking for working rule set with nat and ftp services to study and 
> > learn from.
> >
> > 
> > 
> 
> OK I have uncovered what the problem is.
> The pf version running on Freebsd 9.0 matches the version running on openbsd
> 4.5. Found it on man pf at the end.
> 
> The documentation on the Openbsd website for pf is for Openbsd 5.0 and it
> has warning saying "NOTE: This information is for OpenBSD 4.7. NAT
> configuration was significantly different in earlier versions."
> http://pf4freebsd.love2party.net/ has more info about how back dated the
> 9.0 Freebsd production version of pf is.
> 
> The Freebsd handbook had a detailed section on pf including rules examples
> matching the version of pf included with 9.0 But someone allowed it to be
> removed in the current version of the handbook.
> 
> So here we are with an outdated version of pf in the current production
> 9.0 version of Freebsd and there is no documentation available on nat rule
> syntax in the handbook or at openbsd/pf.

The version of PF in FreeBSD is corresponds to the one in OpenBSD 4.5.

There are old versions of the OpenBSD PF FAQ on mirrors:
http://ftp2.eu.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.pdf
http://ftp2.eu.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.txt

> Going to dig through the 9.0 pf man pages for the info

The rules should also be documented in the man pages.

-- 
Denny Lin



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20120416131602.GC43550>