pf headaches: why won' t it let me fetch from ftp servers?
Morgan Wesström
freebsd-questions at pp.dyndns.biz
Fri Jan 8 09:25:15 UTC 2010
Dino Vliet wrote:
> Dear freebsd list,
> I have the following pf.conf file:
> tcp_services = "{ ftp, ssh, domain, www, auth, https }"
> udp_services = "{ ftp, domain, ntp }"
> icmp_types = "echoreq"
> block all
> pass inet proto icmp all icmp-type $icmp_types keep state
> #pass in proto tcp to any port 22 keep state
> pass out proto tcp to any port $tcp_services keep state
> #pass out proto tcp to any port 25 keep state
> #pass out proto tcp to any port 465 keep state
> #pass out proto tcp to any port 587 keep state
> pass out proto tcp to any port 5999 keep state
> #pass out all keep state
> #pass out proto tcp to any keep state
> pass out proto udp to any port $udp_services
>
> However,if I try to fetch a file from a ftp server as in the followining example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ
> I get the result: Operation not permitted
> My first question is: What is causing this? If I stop pf, then I' m able to fetch it.
> My second question is:Is my ruleset looking fine, as i want to block everything and only let some specific services go out. Or need t be tightened more?
> BrgdsDino
The ftp protocol is unfortunately not very firewall friendly and it
involves far more ports and connections you have accounted for in your
rules. You should have a look at ftp-proxy(8) and closely study the pf
examples there. I'm sure it will solve your problem.
/Morgan
More information about the freebsd-questions
mailing list