pf and ftp client
max at love2party.net
Sun Dec 19 11:03:56 PST 2004
On Sunday 19 December 2004 18:50, dave wrote:
> I've got a 5.3 box running pf. I want to use it as an ftp client, it's
> already going through a nat firewall. My problem is when i try to download
> a port via make install and any ftp url is referenced the site can not be
> contacted. I'm not sure which mode this is using active or passive. This
> machine has only one nic in it. I have included my relevant ftp pf rules
> Any help appreciated.
First verify that ftp works without pf. i.e. does your nat firewall support
ftp at all? Depending on the other firewall you might not need ftp-proxy at
all (or it might not be possible to use ftp at all). Without details about
that other firewall's setup I can only guess.
> # options
> set loginterface none
> set optimization normal
> set block-policy drop
> scrub in on $ext_if all
> scrub out all random-id max-mss 1440
> # nat ftp-proxy
> rdr on $ext_if proto tcp from any to any port 21 -> $ext_addr port 8021
> # activate spoofing protection for the internal interface.
> antispoof quick for $ext_if inet
> # allow active ftp, passive is handled
> # by the ftp-proxy and the nat rdr rule
> pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy
> flags S/SA keep state
This is wrong. If you want passive mode to work you have to allow:
"in from any to any user proxy"
as described in the ftp-proxy(8) manpage.
> # allow out ftp
> pass out quick on $ext_if proto tcp from any to any port = 21 flags S/SA
> modulate state
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041219/6d51facb/attachment.bin
More information about the freebsd-pf