|
|||
[PF] Problem with ftp and ALTQ
Hello,
I have two problems connected with PF on FreeBSD 7.0. 1) I can't connect to ftp servers on router(FreeBSD), but NAT users can. Here is my pf.conf Code:
ext_if="nfe0" int_if="dc0" int_net="192.168.6.0/24" table <firewall> const { self } set skip on lo nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from $int_net to any port 21 -> 127.0.0.1 port 8021 nat on $ext_if from $int_net to any -> $ext_if block drop in all pass in on $int_if from $int_net to any block out all anchor "ftp-proxy/*" pass in proto tcp to <firewall> port { ssh } modulate state pass in on $int_if proto icmp from $int_net to <firewall> keep state pass out on $int_if all modulate state pass out on $ext_if proto { tcp udp } from any to any port { 53 21 20 } modulate state pass out on $ext_if proto icmp from any to any keep state Code:
[root@freebsd ~]# ftp ftp.freebsd.org Trying 204.152.184.73... Connected to ftp.freebsd.org. 220 Welcome to freebsd.isc.org. Name (ftp.freebsd.org:ftp): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||43044|) 500 Illegal EPRT command. 500 Illegal PORT command. 425 Use PORT or PASV first. 2) I have in NAT 100 computers and I want to give this same bandwidth for each, and I don't want to create 100 rules . In linux is SFQ or WFQ that can do so. Is anything on FreeBSD that is similar?? Thanks for help Last edited by gotian; 22nd July 2008 at 10:43 AM. |
|
|||
Due to to the way ftp-proxy works, you cannot use ftp on the router itself. Ftp traffic passing through the internal router interface is redirected to ftp-proxy for handling. Ftp connections originated from the router itself go out directly through the external interface, thus bypassing ftp-proxy
If you want to use ftp on the router you could create an anchor and temporarily attach two rules to it
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Boot problem. Geometry problem? | gulanito | FreeBSD Installation and Upgrading | 0 | 3rd July 2009 03:03 AM |
PF w/ ALTQ - Queue errors exceeding bandwidth | plexter | OpenBSD Security | 11 | 26th October 2008 12:01 AM |
PF/ALTQ rules not working as intended | Weaseal | FreeBSD Security | 4 | 6th August 2008 12:41 PM |
ALTQ Question regarding | RudiK | FreeBSD Security | 4 | 23rd July 2008 01:59 PM |
Queuing with PF and ALTQ | Weaseal | FreeBSD Security | 1 | 22nd July 2008 05:18 PM |