pftpx rules not showing in pfctl
Scott Ullrich
sullrich at gmail.com
Thu Jul 7 18:25:50 GMT 2005
On 7/7/05, Michael Weiser <michael at weiser.dinsnail.net> wrote:
> Hello,
>
> this may sound ridiculous but I've actually managed to set up pftpx and
> now can't seem to figure out why it works. :)
>
> I've compiled pftpx on my FreeBSD-CURRENT box with some minor tweaking
> because of missing stnvis. I added the required rules to my pf.conf:
>
> nat-anchor "pftpx/*"
> rdr-anchor "pftpx/*"
> rdr on $intif inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
>
> and
>
> anchor "pftpx/*" on $dslif
> pass out quick on $dslif inet proto tcp from $dslif port $unpriv to any port = ftp modulate state (no-sync) flags S/SA label $dslif-out-ftp
>
> $dslif is xl0 for me. It's present on the anchor because I also have a
> $pppif tun0 which is used occasionally and rules for it are defined
> further down the filter list.
>
> Anyway. I fired up pftpx -d -D 7 and lo, everything works nicely.
>
> Then I went and said 'pfctl -a pftpx -s r' whilst running an ftp
> download. No matter what I do, it says the rule list is empty. When
> running it with '-s a' I see that there are entries for the ftp
> connections in the state table, but still no rules.
>
> Is it supposed to behave that way or should I be seeing some rule
> entries?
First do this:
pfctl -sA -v | grep pftpx
# pfctl -sA -v | grep pftpx
pftpx
pftpx/419.1
Then do a:
# pfctl -v -a pftpx/419.1 -sr
pass in log quick inet proto tcp from 204.152.184.73 to 10.0.0.69 port
= commplex-link flags S/FSRA keep state (max 1)
[ Evaluations: 1071 Packets: 8 Bytes: 501 States: 0 ]
pass out log quick inet proto tcp from 204.152.184.73 to 10.0.0.69
port = commplex-link flags S/FSRA keep state (max 1)
[ Evaluations: 286 Packets: 8 Bytes: 501 States: 0 ]
This will show your rules. ;)
Regards,
Scott
More information about the freebsd-pf
mailing list