Confusion about FTP through PF
Michael K. Smith - Adhost
mksmith at adhost.com
Tue Mar 4 19:33:31 UTC 2008
Hello All:
> pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port {
> ftp, 49152:65535 } modulate state flags S/SA
>
Thanks to Jeremy for the line above which works like a champ. The last piece of the puzzle for me is to block all inbound ftp connections to servers other than my ftp servers. I have the following configuration to that effect. The two servers in the table are associated with valid, outside IP addresses and the table shows up correctly with a 'pfctl -t ftp_servers -T show'.
table <ftp_servers> persist { \
$liv_ftp_ext, \
$uft_01_ext \
}
block in log quick on $vlan2_if proto tcp from any to ! <ftp_servers> port 21
When I load this rule ftp breaks to everything, including the <ftp_servers> servers. Is it not possible to do a "!" in a block rule or is my syntax fubar?
Regards,
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080304/341c2e6c/PGP.pgp
More information about the freebsd-pf
mailing list