View Single Post
  #1   (View Single Post)  
Old 24th August 2008
kasse kasse is offline
Fdisk Soldier
Join Date: Jun 2008
Posts: 67
Default Trouble with ftp with pf enabled

On my freebsd 7.0 I can't establish ftp connections with pf enabled.

first I had ftp added to the standard tcp_sevices allowed to pass out with keep state ala
 pass out proto tcp to any port ftp
then I could access the ftp sites but I could not receive any data back, e.g using ls or pwd, I would get some reply about that the operation was not permitted and the connection would close.

second I tried method described in ftp-proxy but then I cannot even connect to any ftp.

Here is the pf.conf: I confess that it may seem stupid on my home desktop, but I wanted to get a feeling for pf.
# define some outgoing services
tcp_services = "{ssh, smtp, domain, https, www, auth, imaps}"
udp_services = "{domain}"

# define some macros
ext_if = "em0" #to wireless router via cable
ftp_proxy = "" #where ftp-proxy is attached
ftp_proxyport = "8021"

# define some trusted hosts
table <trusted> { }

# don't filter loopback
set skip on lo0

# sort out the the meaningfull and assemble those
scrub in all

#define some anchors
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#define som redirection
rdr pass on $ext_if proto tcp from any to any port ftp -> \
    $ftp_proxy port $ftp_proxyport

#### the filter rules
block all
anchor "ftp-proxy/*" {
   pass out proto tcp from $ftp_proxy to any port ftp keep state
pass out on $ext_if proto tcp to any port $tcp_services keep state
pass on $ext_if proto udp to any port $udp_services keep state

#allow incoming from trusted lan address but log it
pass in log on $ext_if proto tcp from <trusted> to any port ssh
As always since I'm not familiar with this and a bit slow I, issue a idiot warning.
Reply With Quote