pf and lan ftp clients

dave dmehler26 at woh.rr.com
Tue May 31 00:15:53 PDT 2005 

Hello,
    I've got a 5.4 fbsd box doing routing and firewall for an internal lan
of machines. I'm using pf and having an issue with ftp. I believe it's
passive ftp that's giving me the difficulty, but on lan clients i am getting
timeout errors, while on the firewall itself both active and passive ftp
connections work fine. On lan clients active connections work fine, only the
passive ones on lan clients have timeout errors. An example is trying to
access the readme file link on www.webalizer.org.
On two unrelated subjects i've ot an ssh redirection and a rule that passes
ssh traffic from the internet to an internal computer. I'd like to set that
so that when a single IP hits the box it's directed to the router and not
the internal box.
Also, on 5.4, what is the status of synproxy and pf? In 5.3 when i used
synproxy on rules internet clients were unable to connect, changing synproxy
state to keep state corrected the issue.
My rules are below. Any help appreciated.
Thanks.
Dave.
# $LAN is internal interface, $EXT is external, and $LAN_SERVER is the
internal service-serving box
# redirect lan client active FTP requests (to an FTP server's control port
21)
# to the ftp-proxy running on the firewall host (via inetd on port 8021)
rdr on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $EXT proto tcp from xxx.xxx.xxx.xxx/32 to ($EXT) port 22 -> ($EXT)
port 22
rdr on $EXT proto tcp from any to any port 22 -> $LAN_SERVER port 22
# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in
inetd.conf
pass in on $EXT \
inet proto tcp \
from any port 20 \
to $EXT port 55000 >< 57000 \
user proxy \
flags S/SA keep state
# special requirements
pass in quick on $EXT \
inet proto tcp \
from xxx.xxx.xxx.xxx/32 port 22 to ($EXT) \
port 22 flags S/SA keep state
# allow ftp active requests out
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port 20 \
flags S/SA keep state

# allow firewall to contact ftp server on behalf of passive ftp client
# on control port 21
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port 21 \
flags S/SA keep state

# allow firewall to contact ftp server on behalf of passive ftp client
# on standard unprivileged port range ( > 1024 )
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port > 1024 \
flags S/SA keep state

More information about the freebsd-pf mailing list