Date: Fri, 8 Jan 2010 05:18:48 +0100 From: J65nko <j65nko@gmail.com> To: "M. Keith Thompson" <m.keith.thompson@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: ftp problem Message-ID: <19861fba1001072018g115a0bccrf9510a38454cc9db@mail.gmail.com> In-Reply-To: <fc2243911001071319q4bbbc4a6o6b58031bba59c39b@mail.gmail.com> References: <fc2243911001060809m5417b810vf2ed40c8a969fb5f@mail.gmail.com> <7731938b1001060923n5de4b511of07b8c63cff4e011@mail.gmail.com> <fc2243911001060957n16f906f7m703c696b970e8c3c@mail.gmail.com> <2cf1d0681001071216p6b516e9egcf7401f2b38e3c3d@mail.gmail.com> <19861fba1001071237ncc440d5u1ab280d2aaf0c72f@mail.gmail.com> <fc2243911001071319q4bbbc4a6o6b58031bba59c39b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 7, 2010 at 10:19 PM, M. Keith Thompson
<m.keith.thompson@gmail.com> wrote:
> On Thu, Jan 7, 2010 at 2:37 PM, J65nko <j65nko@gmail.com> wrote:
>>> # SSH from NetEng subnet
>>> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port
>>> 22 keep state
>>>
>>> # Allow inside network to ping the server
>>> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state
>>>
>>> # Allow DNS lookups
>>> pass out quick on $ext_if proto udp to any port 53
>>> pass out quick on $ext_if proto tcp to any port 53 keep state
>>>
>>> # Allow ftp
>>> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep state
>>> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep state
>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
>>> port 20 keep state
>>>
>>> --- end of pf.conf ----------------------
With ftp the client initiates the ftp command channel
client:port >1023 ---> server:port 21
The passive ftp data channel is initiated by the client
client:port >1023 ---> server:port>1023
Your second rule takes care of this
The active ftp data channel is initiated by the ftp server
using and that is kind of weird, port 20 (ftp-data), as source port.
server:port 20 ---> clientLport >1023
You meant to pass active ftp with this rule:
>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
>>> port 20 keep state
But it should be:
pass out quick on $ext_if inet proto tcp from any port ftp-data
to $ext_IP port > 10000 keep state
BTW you have a nice pf debug friendly "block log all" default policy.
Does "tcpdump -eni pflog0" on the pf box show any blocked packets?
RE: ftp-proxy
This just adds complexitiy, after everything is working you could add it in.
RE: active ftp user requirement
Yes, I understand, it is the users who help us pay our mortgage ;)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19861fba1001072018g115a0bccrf9510a38454cc9db>