Date: Tue, 5 Jul 2005 14:09:51 +0200 From: Gareth Bailey <gjbailey@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: LAN FTP problem with sample PF ruleset Message-ID: <48a5f32a050705050979c91efd@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi all,=20
My LAN doesn't have FTP access using the sample PF ruleset from the openbsd=
=20
site.
My rules are as follows, any help as to where I'm going wrong would be=20
great, thanks!
RULESET:
# macros
int_if =3D "xl0"
ext_if =3D "rl0"
# tcp_services =3D "{ 22, 113 }"
icmp_types =3D "echoreq"
priv_nets =3D "{ 127.0.0.0/8 <http://127.0.0.0/8>, 0.0.0.0/8<http://0.0.0.0=
/8>,=20
192.168.0.0/16 <http://192.168.0.0/16>, 172.16.0.0/12 <http://172.16.0.0/12=
>,=20
10.0.0.0/8 <http://10.0.0.0/8>; }"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 ->
127.0.0.1<http://127.0.0.1>port 8021
# filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# pass in on $ext_if proto tcp from any to $comp3 port 80 flags S/SA=20
synproxy state
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flag=
s=20
S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48a5f32a050705050979c91efd>