|
|||
pf allow ftp access
Trying to configure ftp access to be able to down the bsd port collection.
Code:
# Allow acces to ftp pass out on $if proto tcp from $if to any port { 21 , 20 } thanks
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5 |
|
|||
the full rule set
Code:
# Macros: define common values, so they can be referenced and changed easily. ext_if="rl0" tcp_services = "{ domain, www, https, 10000 }" udp_services = "{ domain }" brute_block = "{ ssh, 10000 }" # Tables table <sshadmins> persist file "/etc/sshallow" table <bruteforce> persist file "/etc/brufeforce" # Set Optimizations: set loginterface $ext_if set skip on lo0 # Normalization / scrubbing scrub in all antispoof quick for { lo0 $ext_if } block all block quick from <bruteforce> pass proto udp to any port $udp_services pass proto tcp from any to self port $tcp_services pass in on $ext_if inet proto icmp all icmp-type 8 # Allow access to sshd. pass in on $ext_if proto tcp from <sshadmins> to self port ssh # Allow acces to ftp pass out on $ext_if proto tcp from $if to any port { 21 , 20 } # brute force blocking pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5 Last edited by ijk; 11th August 2008 at 09:49 PM. |
|
|||
shouldn't $if be $ext_if?
|
|
||||
it looks like (i dont know pf just guessing from the syntax) your ruleset doesn't allow ftp.
there are two ways of transfer: active and passive. for active transfers you will need to allow the ftp server to connect (active open) from server port 20. for pasv tx you should allow the client to do an active open on an ephemeral port on the server. you can maybe add the following rule at the end to allow pasv tx: pass out proto tcp from self to any keep state |
|
|||
it is already $ext_if my typing error.
Code:
pass out on $ext_if proto tcp from $ext_if to any port { 21 , 20 } I am already letting out traffic with the above rule. Why do i need to let out all traffic from any port with the below rule. is not this insecure. Code:
pass out proto tcp from self to any keep state
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5 |
|
|||
Passive ftp uses two connections
Code:
Code:
pass out proto tcp from self to any keep state Because most people find a rule like this rather permissive (it allows for example MSN connections), a proxy is needed. See ftp-proxy(8) for the details.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Quote:
for pasv ftp tx the above rule will allow your ftp client to establish a data connection to the ftp server on an ephemeral port (> 1023) on the server. anyway, ftp-proxy maybe a better option. |
|
|||
ftp-proxy
you should use ftp proxy do this:
/etc/rc.conf Append following line: ftpproxy_enable="YES" Open your /etc/pf.conf file and add following into your NAT section: To activate it, put something like this in the NAT section of pf.conf: nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 All three rules required, even if your setup does not use NAT. Find your filtering rule and append the following rules: anchor "ftp-proxy/*" use this link also http://www.cyberciti.biz/faq/freebsd...configuration/ good look!!! |
|
|||
no problem!
No problem also you may want to check , ftpproxy_flags="" in rc.conf
you are welcome! |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
DVD access | zazen | OpenBSD General | 11 | 4th June 2009 03:28 PM |
ssh access | carpman | FreeBSD Security | 8 | 19th February 2009 12:26 PM |
Securing ftp access | AlexDudko | FreeBSD Security | 6 | 12th January 2009 09:21 PM |
ssh/external access | jwhal | OpenBSD General | 11 | 21st May 2008 07:19 PM |
CD Access in KDE | Scott | FreeBSD General | 10 | 13th May 2008 05:48 AM |