new passiv ftp /ftp-proxy problem.

Max Laier max at love2party.net
Thu Dec 23 11:32:41 PST 2004 

On Thursday 23 December 2004 18:28, Didier Wiroth wrote:
> Hi,
>
> I'm trying different pf.conf  for my home router.  I would like to change
> my actual pf.conf to a default  "block all" policy and explicitly
> allow/open the ports I need.
>
> How do you have to modify the below pf.conf sample to allow passiv ftp, is
> this even possible? Please keep in mind that I want  to keep the default
> "block all".
>
> I would like to use ftp-proxy started from inetd like this:
> ftp-proxy       stream  tcp     nowait  root    /usr/libexec/ftp-proxy 
> ftp-proxy -u proxy -m 55000 -M 57000 -t 180
>
> As a test, I created a very simple pf.conf, which actually doesn't work:
> #variables
> int_if="sis0"
> ext_if="tun0"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> #
> nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
> rdr on $int_if proto tcp from !$ext_if to !$int_if:network port ftp ->
> 127.0.0.1 port ftp-proxy
>
> pass quick on lo0 all
> block log-all all
>
> #ftp connections
> pass in on $int_if inet proto tcp from $int_if:network to \
>     { $int_if, localhost } port ftp-proxy keep state 
> pass out on $ext_if inet proto tcp from $ext_if to any port ftp \
>     keep state user proxy  

Add at least:
pass in on $ext_if inet proto tcp from any to ($ext_if) port 55000:57000 \
    keep state user proxy

>
> -----------------end snip ----------------
> Why isn't this working?

You can also watch "$tcpdump -n -e -ttt -i pflog0" to see what is dropped. You 
will quickly figure what belongs to your ftp connection and what you need to 
enable.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041223/68c28abc/attachment.bin

More information about the freebsd-pf mailing list