pf blocking ftp on firewall/router, what did I overlook?
Dirk R. Gently
dirk.r.gently at gmail.com
Sun Feb 15 18:26:26 PST 2009
Thanks for taking the time to read this. I've tried to fix this but am
unsure how to do it. Any help would be appreciated.
I built a basic pf.conf for a machine to act as a router/firewall. The
problem I'm having is that the pf.conf I built is blocking access to ftp.
I've built in ftp-proxy but if I understand itcorrectly ftp-proxy allows lan
clients through the firewall, what about the router itself? Without this,
I'm unable to update unless I turn off the firewall. Here's my pf.conf:
# Network Interface Cards (NIC)s.
WAN_NIC="gem0"
LAN_NIC="re0"
FTPPORT="8021"
table <blockedip> persist file "/etc/pfblocked.conf"
set block-policy drop
set loginterface $WAN_NIC
set require-order yes
scrub in all
nat on $WAN_NIC from !($WAN_NIC) to any -> ($WAN_NIC:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $LAN_NIC inet proto tcp from $LAN_NIC:network to any port ftp
-> lo0 port $FTPPORT
set skip on lo0
antispoof log for { lo0 $WAN_NIC $LAN_NIC }
block drop in log (all) quick on $WAN_NIC from <blockedip> to any
block in log on $WAN_NIC all
anchor "ftp-proxy/*
pass out on $WAN_NIC proto tcp from ($WAN_NIC) to any $SYNSTATE
pass out on $WAN_NIC proto udp from ($WAN_NIC) to any
pass out on $WAN_NIC inet proto icmp from ($WAN_NIC) to any
I've tested this and pfctl -nf /etc/pf.conf is ok. Any thoughts?
--
Dirk R. Gently - http://linuxtidbits.wordpress.com/
More information about the freebsd-pf
mailing list