pf rdr rule question - corrected
Jeremy Chadwick
freebsd at jdc.parodius.com
Mon Oct 31 09:47:50 UTC 2011
On Mon, Oct 31, 2011 at 10:07:04AM +0100, Damien Fleuriot wrote:
> On 10/31/11 12:04 AM, G??t Andr??s wrote:
> > Dear All,
> >
> > I'd like to have the following ruleset, for pure-ftpd passive port range:
> >
> > (pasv and past mistyping corrected)
> >
> > ---
> > ftp_pasv_start="X"
> > ftp_pasv_end="Y"
> >
> > rdr on $netif inet proto tcp from any to $internalip port
> > $ftp_pasv_start:$ftp_pasv_end -> $internalip
> >
> > pass in quick on $netif proto tcp from any to $internalip port
> > $ftp_pasv_start >< $ftp_pasv_end keep state flags S/SA
> >
>
> pass in quick on $netif proto tcp from any to $internalip port
> $ftp_pasv_start:$ftp_pasv_end
>
>
> Both keep state and flags S/SA are default, you don't need to write them.
The OP did not disclose what version of FreeBSD they're using and as
such may actually need the directives. I've talked about this at
length before -- please see this post which includes which FreeBSD
versions effectively need these directives:
http://markmail.org/message/ch6w5gwne7rfzfz5
On "older" FreeBSD, failure to include these directives will result in
completely broken TCP socket behaviour:
http://permalink.gmane.org/gmane.os.freebsd.devel.pf4freebsd/3990
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, US |
| Making life hard for others since 1977. PGP 4BD6C0CB |
More information about the freebsd-stable
mailing list