Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd July 2008
gotian gotian is offline
New User
Join Date: Jul 2008
Posts: 1
Default [PF] Problem with ftp and ALTQ


I have two problems connected with PF on FreeBSD 7.0.
1) I can't connect to ftp servers on router(FreeBSD), but NAT users can. Here is my pf.conf
table <firewall> const { self }
set skip on lo
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $int_net to any port 21 -> port 8021
nat on $ext_if from $int_net to any -> $ext_if

block drop in all
pass in on $int_if from $int_net to any
block out all
anchor "ftp-proxy/*"
pass in proto tcp to <firewall> port { ssh } modulate state
pass in on $int_if proto icmp from $int_net to <firewall> keep state
pass out on $int_if all modulate state
pass out on $ext_if proto { tcp udp } from any to any port { 53 21 20 } modulate state
pass out on $ext_if proto icmp from any to any keep state
ftp session on router:
[root@freebsd ~]# ftp ftp.freebsd.org
Connected to ftp.freebsd.org.
220 Welcome to freebsd.isc.org.
Name (ftp.freebsd.org:ftp): ftp
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||43044|)
500 Illegal EPRT command.
500 Illegal PORT command.
425 Use PORT or PASV first.
If I put rule: pass out all then everything is OK. But I want to have out traffic default block.

2) I have in NAT 100 computers and I want to give this same bandwidth for each, and I don't want to create 100 rules . In linux is SFQ or WFQ that can do so. Is anything on FreeBSD that is similar??

Thanks for help

Last edited by gotian; 22nd July 2008 at 10:43 AM.
Reply With Quote
  #2   (View Single Post)  
Old 22nd July 2008
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,136

Due to to the way ftp-proxy works, you cannot use ftp on the router itself. Ftp traffic passing through the internal router interface is redirected to ftp-proxy for handling. Ftp connections originated from the router itself go out directly through the external interface, thus bypassing ftp-proxy

If you want to use ftp on the router you could create an anchor and temporarily attach two rules to it
  1. pass out tcp traffic originating from the external public address with destination port 21

    This rule will handle the ftp command channel

  2. pass out tcp traffic originating from the external public address to any IP address with destination ports >1023

    This rule will take care of the ftp data channel connections (for passive ftp)
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Boot problem. Geometry problem? gulanito FreeBSD Installation and Upgrading 0 3rd July 2009 03:03 AM
PF w/ ALTQ - Queue errors exceeding bandwidth plexter OpenBSD Security 11 26th October 2008 12:01 AM
PF/ALTQ rules not working as intended Weaseal FreeBSD Security 4 6th August 2008 12:41 PM
ALTQ Question regarding RudiK FreeBSD Security 4 23rd July 2008 01:59 PM
Queuing with PF and ALTQ Weaseal FreeBSD Security 1 22nd July 2008 05:18 PM

All times are GMT. The time now is 01:57 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick