Confusion about FTP through PF

[Michael K. Smith - Adhost]

Hello Jeremy (et. al.):

We found the issue and I wanted to share the solution.

As before, this rule worked as expected:

# --
pass in quick on $vlan2_if inet proto tcp from any to <ftp_servers> port { ftp, 49152:65535 } modulate state flags S/SA
# --

However, when the following rule was in place, we couldn't get any ftp traffic to the ftp servers.  We tried modifying the rule by replacing ! <ftp_servers> with individual IP's and server macros, but nothing seemed to fix it.  However, when we removed the rule entirely, we could ftp to the servers, but we could also ftp to the PF devices themselves, which was not what we wanted.

#--
block in log quick on $vlan2_if proto tcp from any to ! <ftp_servers> port 21
#--

Next, we tried this rule, but we experienced the same results.

#--
block in log quick on $vlan2_if proto tcp from any to any port 21 flags S/SA
#--

Finally, we had success.

#--
block in log on $vlan2_if proto tcp from any to <firewall> port 21 flags S/SA
#--

Where

#--
table <firewall> const { self }
#--

This allows ftp traffic through the PF firewall to the ftp servers but disallows ftp connections to the PF devices themselves. which are allowed to pass with

#--
pass in quick on $vlan2_if proto tcp from any to <ftp_servers> port { ftp, 49152:65535 } modulate state flags S/SA
#--

Thanks again to Jeremy for the various rules and the explanation of ftp methodology, without which we would have gotten stuck with the 49152:65535 port range requirements.

Regards,

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080306/b58c4f66/PGP.pgp