View Single Post
  #4   (View Single Post)  
Old 24th December 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

I am not using an anchor, I use the following on my workstation:

Code:
table <ftp_sites> { 
        ftp.openbsd.org
        ftp.eu.openbsd.org
        anga.funkfeuer.at
        ftp.wu-wien.ac.at
        ftp.nluug.nl
        ftp5.usa.openbsd.org
        ftp3.usa.openbsd.org
        obsd.cec.mtu.edu
        ftp.halifax.rwth-aachen.de
        ftp.dk.freebsd.org
        }


table <ftp_local> { 
    192.168.222.0/24
    }

# -- sysctls
# net.inet.ip.porthifirst=49152
# net.inet.ip.porthilast=65535

FTPfirst = 49152
#FFTPlast = 65535

# -- outgoing ftp
pass out quick on egress inet proto tcp from egress to <ftp_sites> port ftp label "$nr:$proto:FTP_CMD_OUT"
pass out quick on egress inet proto tcp from egress port >= 1023 to <ftp_sites> port >= $FTPfirst label "$nr:$proto:FTP_DATA_OUT"

# allow local network clients to access ftp server on workstation

pass in quick on egress inet proto tcp from <ftp_local> to egress port ftp label "$nr:$proto:FTP_CMD_IN"
pass in quick on egress inet proto tcp from <ftp_local>  port >= 1023 to egress port >= $FTPfirst label "$nr:$proto:FTP_DATA_IN"
IMHO http://www.openbsd.org/faq/pf/anchors.html explains anchors rather well,

Quote:
Manipulation of anchors is performed via pfctl. It can be used to add and remove rules from an anchor without reloading the main ruleset.
To list all the rules in the anchor named ssh:
Code:
    # pfctl -a ssh -s rules
To flush all rules from the same anchor:
Code:
    # pfctl -a ssh -F rules
The same section also tells you how add rules saved in a file to the anchor:

Quote:
Rules can also be saved and loaded from a text file:

Code:
    # cat >> /etc/anchor-goodguys-www
    pass in proto tcp from 192.0.2.3 to any port 80
    pass in proto tcp from 192.0.2.4 to any port { 80 443 }

    # pfctl -a goodguys -f /etc/anchor-goodguys-www
So the simplest thing would be to define an empty anchor in your rule set. Create a text file with the ftp rules. Load these into the anchor, when you need them. Flush them from the anchor, when you are done.

Not too difficutl isn't it
Yes, I know, been there too. Sometimes we fail to see the forest, because there are so many trees
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote