Date: Thu, 01 Oct 2009 20:07:29 +0100 From: AG <computing.account@googlemail.com> To: freebsd-questions@freebsd.org Subject: Query about pf.conf Message-ID: <4AC4FDF1.4060106@gmail.com>
next in thread | raw e-mail | index | archive | help
Hello
I want to see why I am unable to download via ftp. I believe that it
would have something to do with my pf.conf file in my firewall, so have
listed that below.
########### simple pf.conf ##################
# allow all outgoing TCP, UDP
# allow outgoing ICMP ping
# specifically block 11 common inet services
# Modified for nntp and bittorrent
#############################################
# MACRO
ext_if = "rl0"
int_if = "vr0"
PING = "echoreq"
allow_tcp = "{ 119 }" #Port needed for nntp server
#IntNet = "192.168.1.0/24" #Sub-net range
#InBitTCP = "{ 6969, 6881:6889 }" #Ports needed for BitTorrent
#BitIP = "192.168.1.40" #BitTorrent client
tcp_services = "{ smtp, pop3, pop3s, www, msa, https, ftp, whois, ssh,
telnet, rsync }"
udp_services = "{ domain }"
# OPTIONS:
set block-policy drop
set optimization normal
set loginterface $ext_if
# SCRUB:
scrub in on $ext_if all
# NAT/RDR
nat on $ext_if from $int_if:network to any -> $ext_if
#nat on $ext_if proto tcp from $IntNet port $InBitTCP to any -> $ext_if \
static-port
#nat on $ext_if proto udp from $IntNet port $InBitTCP to any -> $ext_if \
static-port
#rdr on $ext_if proto tcp from !$IntNet to any port 6969 -> $BitIP port
6969
#rdr on $ext_if proto udp from !$IntNet to any port 6881:6889 -> $BitIP \
port 6881:6889
# filter:
block log on $ext_if all
#pass in quick on $ext_if inet proto tcp from any to any port $InBitTCP \
flags S/SA synproxy state
#pass in quick on $ext_if inet proto udp from any to any port $InBitTCP
#pass out on $int_if inet proto tcp from any to $IntNet port
$port_bittorrent \
flags S/SA synproxy state
#pass out on $int_if inet proto udp from any to $IntNet port
$port_bittorrent
pass quick on lo0 all
pass out on $ext_if proto tcp from any to any port $allow_tcp keep state
pass out quick on $ext_if inet proto tcp from \
{ $ext_if:network, $int_if:network } to any port $tcp_services keep
state
pass out quick on $ext_if inet proto udp from \
{ $ext_if:network, $int_if:network } to any port $udp_services keep
state
pass out quick on $ext_if inet proto icmp from \
{ $ext_if:network, $int_if:network } to any icmp-type $PING keep state
antispoof for $ext_if
antispoof for $int_if
#### /etc/pf.conf ends ######################
Can anyone shine a light on this to help me out please?
Many TIA.
AG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AC4FDF1.4060106>