ftp problem
J65nko
j65nko at gmail.com
Thu Jan 7 21:02:51 UTC 2010
> # SSH from NetEng subnet
> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port
> 22 keep state
>
> # Allow inside network to ping the server
> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state
>
> # Allow DNS lookups
> pass out quick on $ext_if proto udp to any port 53
> pass out quick on $ext_if proto tcp to any port 53 keep state
>
> # Allow ftp
> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep state
> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep state
> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
> port 20 keep state
>
> --- end of pf.conf ----------------------
To prevent problems with TCP window scaling you should create state on
only the first packet
of the 3 way TCP handshake, the packet with only the Syn flag set.
With pf you do this by using 'keep state flags S/SA".
This TCP window scaling issue is explained by Daniel Hartmeier, pf
hacker, in http://undeadly.org/cgi?action=article&sid=20060928081238
under the section
"Create TCP states on the initial SYN packet"
BTW I wonder why you don't use the pf ftp-proxy, and why you allow
active ftp transfers ;)
More information about the freebsd-pf
mailing list