pf headaches: why won' t it let me fetch from ftp servers?

[Ben Schumacher]

On Thu, Jan 7, 2010 at 2:38 PM, Dino Vliet <dino_vliet at yahoo.com> wrote:
> Dear freebsd list,
> I have the following pf.conf file:
> tcp_services = "{ ftp, ssh, domain, www, auth, https }"
> udp_services = "{ ftp, domain, ntp }"
> icmp_types   = "echoreq"
> block all
> pass inet proto icmp all icmp-type $icmp_types keep state
> #pass in proto tcp to any port 22 keep state
> pass out proto tcp to any port $tcp_services keep state
> #pass out proto tcp to any port 25 keep state
> #pass out proto tcp to any port 465 keep state
> #pass out proto tcp to any port 587 keep state
> pass out proto tcp to any port 5999 keep state
> #pass out all keep state
> #pass out proto tcp to any keep state
> pass out proto udp to any port $udp_services
>
> However,if I try to fetch a file from a ftp server as in the followining example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ
> I get the result: Operation not permitted
> My first question is: What is causing this? If I stop pf, then I' m able to fetch it.
> My second question is:Is my ruleset looking fine, as i want to block everything and only let some specific services go out. Or need t be tightened more?
> BrgdsDino

Dino-

Default behavior for FTP is that you open connection to server on port
20 and then server opens a connection back to you on another port,
basically. This means that when you have the firewall active your
blocking this inbound connection on the alternate port. The easiest
way to work around this and to get the security of having a firewall
running is to use "PASSIVE" mode in your FTP client, which basically
indicates that the client will open a second connection to the server:
$ fetch -p ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ

There's also an environment variable (FTP_PASSIVE_MODE) that you can
set to default to passive FTP. See fetch(3), but basically set it to
anything besides "no" to set the default.

Cheers,
Ben