ftp problem

M. Keith Thompson m.keith.thompson at gmail.com
Fri Jan 8 13:51:34 UTC 2010 

On Thu, Jan 7, 2010 at 10:18 PM, J65nko <j65nko at gmail.com> wrote:
> On Thu, Jan 7, 2010 at 10:19 PM, M. Keith Thompson
> <m.keith.thompson at gmail.com> wrote:
>> On Thu, Jan 7, 2010 at 2:37 PM, J65nko <j65nko at gmail.com> wrote:
>>>> # SSH from NetEng subnet
>>>> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port
>>>> 22 keep state
>>>>
>>>> # Allow inside network to ping the server
>>>> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state
>>>>
>>>> # Allow DNS lookups
>>>> pass out quick on $ext_if proto udp to any port 53
>>>> pass out quick on $ext_if proto tcp to any port 53 keep state
>>>>
>>>> # Allow ftp
>>>> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep state
>>>> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep state
>>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
>>>> port 20 keep state
>>>>
>>>> --- end of pf.conf  ----------------------
>
> With ftp the client initiates the ftp command channel
>   client:port >1023   ---> server:port 21
>
> The passive ftp data channel is initiated by the client
>    client:port >1023  ---> server:port>1023
>
> Your second rule takes care of this
>
> The active ftp data channel is initiated by the ftp server
> using and that is kind of weird, port 20 (ftp-data), as source port.
>      server:port 20   ---> clientLport >1023
>
> You meant to pass active ftp with this rule:
>
>>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
>>>> port 20 keep state
>
> But it should be:
>    pass out quick on $ext_if inet proto tcp from any port ftp-data
>    to $ext_IP port > 10000 keep state

I will make that change

> BTW you have a nice pf debug friendly "block log all" default policy.
> Does "tcpdump -eni pflog0" on the pf box show any blocked packets?

tcpdump of the pflog0 does not show any packets from or to the IP in question.

> RE: ftp-proxy
> This just adds complexitiy, after everything is working you could add it in.
>
> RE: active ftp user requirement
> Yes, I understand, it is the users who help us pay our mortgage ;)
>

More information about the freebsd-pf mailing list