ftp problem
M. Keith Thompson
m.keith.thompson at gmail.com
Thu Jan 7 21:19:56 UTC 2010
On Thu, Jan 7, 2010 at 2:37 PM, J65nko <j65nko at gmail.com> wrote:
>> # SSH from NetEng subnet
>> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port
>> 22 keep state
>>
>> # Allow inside network to ping the server
>> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state
>>
>> # Allow DNS lookups
>> pass out quick on $ext_if proto udp to any port 53
>> pass out quick on $ext_if proto tcp to any port 53 keep state
>>
>> # Allow ftp
>> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep state
>> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep state
>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
>> port 20 keep state
>>
>> --- end of pf.conf ----------------------
>
> To prevent problems with TCP window scaling you should create state on
> only the first packet
> of the 3 way TCP handshake, the packet with only the Syn flag set.
>
> With pf you do this by using 'keep state flags S/SA".
>
> This TCP window scaling issue is explained by Daniel Hartmeier, pf
> hacker, in http://undeadly.org/cgi?action=article&sid=20060928081238
> under the section
> "Create TCP states on the initial SYN packet"
>
> BTW I wonder why you don't use the pf ftp-proxy, and why you allow
> active ftp transfers ;)
>
Changed the three ftp pass rules to "flags S/SA"; still no love.
I was not using the proxy because there is no NAT involved. I will try
adding the pf ftp-proxy.
I am forced by user requirments to allow active transfers.
Thanks for all of the input!
More information about the freebsd-pf
mailing list