SV: pf firewall and ftp

Denny Lin dennylin93 at hs.ntnu.edu.tw
Mon Apr 16 13:21:40 UTC 2012 

On Mon, Apr 16, 2012 at 09:39:38AM +0200, Hasse Hansson wrote:
> To solve the ftp pre 4.7 part, you can start reading here
> http://home.nuug.no/~peter/pf/en/long-firewall.html#FTPPROBLEM
> 
> /Hasse
> -----Oprindelig meddelelse-----
> Fra: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org] På vegne af Fbsd8
> Sendt: den 16 april 2012 04:31
> Til: FreeBSD Questions; FreeBSD Current; FreeBSD doc
> Emne: Re: pf firewall and ftp
> 
> Fbsd8 wrote:
> > Running 9.0 as a gateway host with pf firewall enabled.
> > FTP is launched by inetd.
> > Both active and passive ftp works from lan pc's to the host ftp.
> > The lan ftp session can be initiated from the host or any lan pc and 
> > things work because there are no rules on the lan interface except 
> > single pass all rule.
> > 
> > But I can not do host initiated or lan initiated ftp sessions to the 
> > public internet. Get "operation not permitted" message. Tried to setup 
> > ftp-proxy per openbsd pf manual without any joy.
> > 
> > Looking for working rule set with nat and ftp services to study and 
> > learn from.
> >
> > 
> > 
> 
> OK I have uncovered what the problem is.
> The pf version running on Freebsd 9.0 matches the version running on openbsd
> 4.5. Found it on man pf at the end.
> 
> The documentation on the Openbsd website for pf is for Openbsd 5.0 and it
> has warning saying "NOTE: This information is for OpenBSD 4.7. NAT
> configuration was significantly different in earlier versions."
> http://pf4freebsd.love2party.net/ has more info about how back dated the
> 9.0 Freebsd production version of pf is.
> 
> The Freebsd handbook had a detailed section on pf including rules examples
> matching the version of pf included with 9.0 But someone allowed it to be
> removed in the current version of the handbook.
> 
> So here we are with an outdated version of pf in the current production
> 9.0 version of Freebsd and there is no documentation available on nat rule
> syntax in the handbook or at openbsd/pf.

The version of PF in FreeBSD is corresponds to the one in OpenBSD 4.5.

There are old versions of the OpenBSD PF FAQ on mirrors:
http://ftp2.eu.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.pdf
http://ftp2.eu.openbsd.org/pub/OpenBSD/doc/history/pf-faq45.txt

> Going to dig through the 9.0 pf man pages for the info

The rules should also be documented in the man pages.

-- 
Denny Lin

More information about the freebsd-doc mailing list