On Wed, 12 May 2010 20:18:14 +0000 (UTC) Stuart Henderson <s...@spacehopper.org> wrote: > > I don't think that line is complete, is it? > > that one's okay. > > $ echo 'pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port > 8021' | pfctl -nvf - > pass in quick inet proto tcp from any to any port = ftp flags S/SA > keep state rdr-to 127.0.0.1 port 8021
It's valid, but if uncommented in the default pf.conf ruleset, it would allow anyone to use your ftp-proxy due to the following 'pass' rule. http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.conf?rev=1.49;content-type=text%2Fplain It would be better to prevent such potential abuse by using the egress interface group. The trouble is the 'on ...' will not allow the use of parenthesis since it's denoting a group of interfaces rather than a group of addresses assigned to interfaces. But this is easily overcome by using 'from (...)' so when the underlying address(es) change on any interface in the group, the rule will reevaluated. NOTE: At present, I don't understand how pf reacts when interface groups are changed (interfaces added or deleted). Index: pf.conf =================================================================== RCS file: /cvs/src/etc/pf.conf,v retrieving revision 1.49 diff -N -u -p pf.conf --- pf.conf 17 Sep 2009 06:39:03 -0000 1.49 +++ pf.conf 12 May 2010 22:25:59 -0000 @@ -8,7 +8,8 @@ set skip on lo # filter rules and anchor for ftp-proxy(8) #anchor "ftp-proxy/*" -#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 +#pass in quick on !egress proto tcp from !(egress) to port ftp \ +# rdr-to 127.0.0.1 port 8021 # anchor for relayd(8) #anchor "relayd/*"