2011/7/20 fqui nonez <fquinon...@gmail.com>:
> 2011/7/20 Andres Perera <andre...@zoho.com>:
>> On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez <fquinon...@gmail.com> wrote:
>
>>>>> On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez <fquinon...@gmail.com>
>>>>> wrote:
>>>>>> Hello
>>>>>>
>>>>>> I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
>>>>>> blocked packets, and send them to /var/log/pfblocklog to be read with
>>>>>> tcpdump. What and where should be the rule?
>
>>>>>> Thanks for your attention.
>>>
>>> Hello
>>>
>>> I changed it to:
>>>
>>> # $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
>>> #
>>>
>>> set skip on lo
>>>
>>> ### Agregadas por mi: (added by me)
>>> block log
>>>
>>> pass out quick on rl0
>>>
>>> antispoof quick for rl0
>>>
>>> pass in log on rl0 proto tcp from any to port 22
>>> pass in log on rl0 proto tcp from any to port 21
>>> pass in log on rl0 proto tcp from any to port 80
>>
>> replace all three by:
>> pass in log on rl0 proto tcp to port { 21 22 80 }
>>
>>>
>>> ### Fin. (end)
>>>
>>> # filter rules and anchor for ftp-proxy(8)
>>> anchor "ftp-proxy/*"
>>> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>>
>> you already pass these packets before. redundant rules make pfctl
>> output hard to read, so change it to:
>> match in proto tcp to port ftp rdr-to localhost port 8021
>>
>
> Done, thanks again!
>
Hello, again.
I am receiving this message at client side :
"425 Can't build data connection: illegal port number"
then, i changed it to:
# $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
set skip on lo
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
### Agregadas por mi: (added by me)
block log
pass out quick on rl0
antispoof quick for rl0
pass in log on rl0 proto tcp from any to port {21 22 80}
### Fin. (end)
#pass # to establish keep-state
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
ftpd is not working correctly with those rules; does somebody see the error?
Thanks for your attention.
