|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Trouble with ftp with pf enabled
On my freebsd 7.0 I can't establish ftp connections with pf enabled.
first I had ftp added to the standard tcp_sevices allowed to pass out with keep state ala Code:
pass out proto tcp to any port ftp second I tried method described in ftp-proxy but then I cannot even connect to any ftp. Here is the pf.conf: I confess that it may seem stupid on my home desktop, but I wanted to get a feeling for pf. Code:
# define some outgoing services tcp_services = "{ssh, smtp, domain, https, www, auth, imaps}" udp_services = "{domain}" # define some macros ext_if = "em0" #to wireless router via cable ftp_proxy = "127.0.0.1" #where ftp-proxy is attached ftp_proxyport = "8021" # define some trusted hosts table <trusted> { 192.168.0.102 } # don't filter loopback set skip on lo0 # sort out the the meaningfull and assemble those scrub in all #define some anchors nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" #define som redirection rdr pass on $ext_if proto tcp from any to any port ftp -> \ $ftp_proxy port $ftp_proxyport #### the filter rules block all anchor "ftp-proxy/*" { pass out proto tcp from $ftp_proxy to any port ftp keep state } pass out on $ext_if proto tcp to any port $tcp_services keep state pass on $ext_if proto udp to any port $udp_services keep state #allow incoming from trusted lan address but log it pass in log on $ext_if proto tcp from <trusted> to any port ssh |
|
|||
Have a look at what jleal posted at the end of this thread; http://www.daemonforums.org/showthread.php?t=1695
|
|
|||
On a stand-alone box you cannot use the ftp-proxy from pf. This proxy needs two physical interfaces, an external NIC and an internal one.
ftp-proxy listens on the internal NIC to intercept ftp traffic from the internal LAN.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
I have a very dated page on pf at http://home.nyc.rr.com/computertaijutsu/pf.html
At the end, in the odds and ends sections, I talk about it. Most of the detailed guides about ftp are all about using an ftp server, rather than a client. It can be confusing, because many of them don't really seem to specify that, they just talk about ftp. I think it was actually j65nk0 who straightened me out on this. |
|
|||
Funny that this thread did not show up when I searched the forums for "pf ftp". Now I at least see the solution to the problem with no proxy, that I must allow outgoing to any port for the negotiated data connection, as mentioned by J65nko.
So is that the only way then since the proxy works on two separate interfaces. I not sure I understand how the ftp-proxy works for this to be a problem. No way to trick the ftp-proxy? |
|
|||
I tried once, but I haven't found a way to trick ftp-proxy to run on a single interface.
You could add the ftp rules to a pf anchor and disable them when you don't need ftp. Remember that the ports use ftp Another option could be to store the allowed ftp sites in a table and make the ftp rules only applicable to these sites. But if you add software by using the FBSD ports mechanism, this becomes very difficult.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
yeah, I was just reading through the tajitsu of scottro and the anchor in the external file seems like a nice option if I somehow make it automatically read in each time I use pkg_add and then flushed.
|
|
|||
IIRC I suggested this to Scott quite some ago on bsdforums.org
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
LCD Backlight Trouble | zer0x | OpenBSD General | 3 | 24th July 2009 08:22 AM |
dd+user=trouble | graudeejs | FreeBSD Security | 4 | 26th September 2008 03:48 PM |
Marvell Yukon driver cannot load with ACPI enabled | GullibleJones | FreeBSD General | 2 | 15th September 2008 02:58 PM |
Trouble with ZFS switch | dewarrn1 | FreeBSD General | 2 | 11th September 2008 11:58 PM |
Problem using pkg with pf enabled | aleunix | FreeBSD Security | 2 | 25th July 2008 11:43 PM |