new passiv ftp /ftp-proxy problem.
Didier Wiroth
didier.wiroth at mcesr.etat.lu
Thu Dec 23 09:28:44 PST 2004
Hi,
I'm trying different pf.conf for my home router. I would like to change my actual pf.conf to a default "block all" policy and explicitly allow/open the ports I need.
How do you have to modify the below pf.conf sample to allow passiv ftp, is this even possible? Please keep in mind that I want to keep the default "block all".
I would like to use ftp-proxy started from inetd like this:
ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180
As a test, I created a very simple pf.conf, which actually doesn't work:
#variables
int_if="sis0"
ext_if="tun0"
# options
set block-policy return
set loginterface $ext_if
#
nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
rdr on $int_if proto tcp from !$ext_if to !$int_if:network port ftp -> 127.0.0.1 port ftp-proxy
pass quick on lo0 all
block log-all all
#ftp connections
pass in on $int_if inet proto tcp from $int_if:network to { $int_if, localhost } port ftp-proxy keep state
pass out on $ext_if inet proto tcp from $ext_if to any port ftp keep state user proxy
-----------------end snip ----------------
Why isn't this working?
Thx a lot
More information about the freebsd-pf
mailing list