pf and ftp client

Max Laier max at love2party.net
Sun Dec 19 11:03:56 PST 2004 

On Sunday 19 December 2004 18:50, dave wrote:
> Hello,
>     I've got a 5.3 box running pf. I want to use it as an ftp client, it's
> already going through a nat firewall. My problem is when i try to download
> a port via make install and any ftp url is referenced the site can not be
> contacted. I'm not sure which mode this is using active or passive. This
> machine has only one nic in it. I have included my relevant ftp pf rules
> below.
> Any help appreciated.
> Thanks.

First verify that ftp works without pf. i.e. does your nat firewall support 
ftp at all? Depending on the other firewall you might not need ftp-proxy at 
all (or it might not be possible to use ftp at all). Without details about 
that other firewall's setup I can only guess.

> pf.conf:
>
> # options
> set loginterface none
> set optimization normal
> set block-policy drop
>
> scrub in on $ext_if all
> scrub out all random-id max-mss 1440
>
> # nat ftp-proxy
> rdr on $ext_if proto tcp from any to any port 21 -> $ext_addr port 8021
>
> # activate spoofing protection for the internal interface.
> antispoof quick for $ext_if inet
>
> # allow active ftp, passive is handled
> # by the ftp-proxy and the nat rdr rule
> pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy
> flags S/SA keep state

This is wrong. If you want passive mode to work you have to allow:
"in from any to any user proxy"
as described in the ftp-proxy(8) manpage.

> # allow out ftp
> pass out quick on $ext_if proto tcp from any to any port = 21 flags S/SA
> modulate state

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041219/6d51facb/attachment.bin

More information about the freebsd-pf mailing list