Hello,
I got a laptop with the operating system FreeBSD 6.1 with router
firewall netgear
and an ADSL modem to connect on the internet. I would like to setup a
personnal firewall
on my computer and I choose OpenBSD pf. The only network interface is ndis0.
The filtering method is quite simple : everything is blocked and only
what I need is authorized. However I have a problem with FTP protocol.
I tryed ftp-proxy without success
Here my configuration files
#### rc.conf
inetd_enable="YES"
inetd_flags="-wW -c 60 -a 127.0.0.1"
#### inetd.conf
ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
-u proxy -m 49151 -M 50000
#### /etc/services
ftp-proxy 8021/tcp #FTP Proxy
With sockstat -4 command i have:
root inetd 838 5 tcp4 127.0.0.1:8021 *:*
#### pf.conf:
# $FreeBSD: pf.conf,v 1.0 2006/10/31 21:49:20 olivier Exp $
# ---------------------
# Macros.
# ---------------------
# Network interface
int_if_1="lo0"
int_if_2="ndis0"
# tcp flags
tcpflags="flags S/SFRA"
# Router/firewall Netgear
wpnt834="192.168.1.1"
# Proxy http
proxy_http="proxy.free.fr"
proxy_port="3128"
# Log
logblock=""
logpass="log"
# ---------------------
# Options.
# ---------------------
set block-policy drop
# ---------------------
# Normalisation.
# ---------------------
scrub in all
# ---------------------
# Redirection.
# ---------------------
rdr on $int_if_2 proto tcp from any to any port 21 \
-> 127.0.0.1 port 8021
# ---------------------
# Filtering.
# ---------------------
# --------------
# default.
# --------------
block $logblock all
pass in quick on $int_if_1 all
pass out quick on $int_if_1 all
# Antispoof
antispoof for { $int_if_1 $int_if_2 }
block in $logblock quick from no-route
block out $logblock quick from no-route
# ---------------
# User.
# ---------------
# DHCP with router/firewall Netgear wpnt834
pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \
$wpnt834 port bootpc $tcpflags keep state
# DNS
pass out $logpass quick on $int_if_2 proto udp from ($int_if_2) to \
any port domain keep state
# Proxy
pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \
$proxy_http port $proxy_port $tcpflags keep state
# ICMP
pass out $logpass quick on $int_if_2 inet proto icmp from ($int_if_2) \
to any icmp-type 8 code 0 keep state
# http et https
pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \
any port { http https } $tcpflags keep state
# ftp with ftp-proxy
pass in $logpass on $int_if_2 inet proto tcp from $int_if_2 port > 49151 \
keep state
# (MSN, IRC, ICQ et Jabber)
pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \
any port { 16863 6667 5190 5222 } $tcpflags keep state
# cvsup
pass out $logpass quick on $int_if_2 proto tcp from ($int_if_2) to \
any port 5999 $tcpflags keep state
# End of file
After, i used ftp command and i have this message:
Trying 62.243.72.50...
ftp: connect: Operation not permitted
ftp>
I think my rdr doesn't work at all but i don't know why ? Could you help
me about this? I remind I got only one host and one network interface.
Thank you very much.
