From owner-freebsd-questions@FreeBSD.ORG  Mon Apr 16 13:21:40 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9A94D1065781;
	Mon, 16 Apr 2012 13:21:40 +0000 (UTC)
	(envelope-from dennylin93@hs.ntnu.edu.tw)
Received: from mail.hs.ntnu.edu.tw (mail.hs.ntnu.edu.tw [140.131.149.3])
	by mx1.freebsd.org (Postfix) with ESMTP id 3452D8FC1C;
	Mon, 16 Apr 2012 13:21:40 +0000 (UTC)
Received: by mail.hs.ntnu.edu.tw (Postfix, from userid 58)
	id 92D9C1C644F; Mon, 16 Apr 2012 21:16:19 +0800 (CST)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.hs.ntnu.edu.tw
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
	autolearn=unavailable version=3.3.2
Received: from mail.hs.ntnu.edu.tw (localhost [127.0.0.1])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.hs.ntnu.edu.tw (Postfix) with ESMTPS id 273F21C643D;
	Mon, 16 Apr 2012 21:16:06 +0800 (CST)
Received: (from dennylin93@localhost)
	by mail.hs.ntnu.edu.tw (8.14.5/8.14.5/Submit) id q3GDG2T1091640;
	Mon, 16 Apr 2012 21:16:02 +0800 (CST)
	(envelope-from dennylin93@hs.ntnu.edu.tw)
X-Authentication-Warning: mail.hs.ntnu.edu.tw: dennylin93 set sender to
	dennylin93@hs.ntnu.edu.tw using -f
Date: Mon, 16 Apr 2012 21:16:02 +0800
From: Denny Lin <dennylin93@hs.ntnu.edu.tw>
To: Hasse Hansson <fbsd@thorshammare.org>
Message-ID: <20120416131602.GC43550@mail.hs.ntnu.edu.tw>
References: <4F8AF6C8.4010703@a1poweruser.com>
	<4F8B846D.3050809@a1poweruser.com>
	<000b01cd1ba4$17435e90$45ca1bb0$@org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <000b01cd1ba4$17435e90$45ca1bb0$@org>
User-Agent: Mutt/1.4.2.3i
Cc: 'FreeBSD doc' <freebsd-doc@freebsd.org>, 'Fbsd8' <fbsd8@a1poweruser.com>,
	'FreeBSD Questions' <freebsd-questions@freebsd.org>,
	'FreeBSD Current' <freebsd-current@freebsd.org>
Subject: Re: SV: pf firewall and ftp
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2012 13:21:40 -0000

On Mon, Apr 16, 2012 at 09:39:38AM +0200, Hasse Hansson wrote:
> To solve the ftp pre 4.7 part, you can start reading here
> http://home.nuug.no/~peter/pf/en/long-firewall.html#FTPPROBLEM
> 
> /Hasse
> -----Oprindelig meddelelse-----
> Fra: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org] På vegne af Fbsd8
> Sendt: den 16 april 2012 04:31
> Til: FreeBSD Questions; FreeBSD Current; FreeBSD doc
> Emne: Re: pf firewall and ftp
> 
> Fbsd8 wrote:
> > Running 9.0 as a gateway host with pf firewall enabled.
> > FTP is launched by inetd.
> > Both active and passive ftp works from lan pc's to the host ftp.
> > The lan ftp session can be initiated from the host or any lan pc and 
> > things work because there are no rules on the lan interface except 
> > single pass all rule.
> > 
> > But I can not do host initiated or lan initiated ftp sessions to the 
> > public internet. Get "operation not permitted" message. Tried to setup 
> > ftp-proxy per openbsd pf manual without any joy.
> > 
> > Looking for working rule set with nat and ftp services to study and 
> > learn from.
> >
> > 
> > 
> 
> OK I have uncovered what the problem is.
> The pf version running on Freebsd 9.0 matches the version running on openbsd
> 4.5. Found it on man pf at the end.
> 
> The documentation on the Openbsd website for pf is for Openbsd 5.0 and it
> has warning saying "NOTE: This information is for OpenBSD 4.7. NAT
> configuration was significantly different in earlier versions."
> http://pf4freebsd.love2party.net/ has more info about how back dated the
> 9.0 Freebsd production version of pf is.
> 
> The Freebsd handbook had a detailed section on pf including rules examples
> matching the version of pf included with 9.0 But someone allowed it to be
> removed in the current version of the handbook.
> 
> So here we are with an outdated version of pf in the current production
> 9.0 version of Freebsd and there is no documentation available on nat rule
> syntax in the handbook or at openbsd/pf.

The version of PF in FreeBSD is corresponds to the one in OpenBSD 4.5.

There are old versions of the OpenBSD PF FAQ on mirrors:
http://ftp2.eu.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.pdf
http://ftp2.eu.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.txt

> Going to dig through the 9.0 pf man pages for the info

The rules should also be documented in the man pages.

-- 
Denny Lin