Confusion about FTP through PF

Michael K. Smith - Adhost mksmith at adhost.com
Tue Mar 4 19:33:31 UTC 2008


Hello All:

> pass in quick on $ext_if inet proto tcp from any to 72.20.106.8 port {
> ftp, 49152:65535 } modulate state flags S/SA
> 
Thanks to Jeremy for the line above which works like a champ.  The last piece of the puzzle for me is to block all inbound ftp connections to servers other than my ftp servers.  I have the following configuration to that effect.  The two servers in the table are associated with valid, outside IP addresses and the table shows up correctly with a 'pfctl -t ftp_servers -T show'.

table <ftp_servers> persist { \                  
        $liv_ftp_ext, \
        $uft_01_ext \
        }           

block in log quick on $vlan2_if proto tcp from any to ! <ftp_servers> port 21

When I load this rule ftp breaks to everything, including the <ftp_servers> servers.  Is it not possible to do a "!" in a block rule or is my syntax fubar?

Regards,

Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20080304/341c2e6c/PGP.pgp


More information about the freebsd-pf mailing list