On Wed, 12 May 2010 15:54:04 -0700, J.C. Roberts wrote: >On Wed, 12 May 2010 20:18:14 +0000 (UTC) Stuart Henderson ><s...@spacehopper.org> wrote: >> > I don't think that line is complete, is it? >> >> that one's okay. >> >> $ echo 'pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port >> 8021' | pfctl -nvf - >> pass in quick inet proto tcp from any to any port = ftp flags S/SA >> keep state rdr-to 127.0.0.1 port 8021 > >It's valid, but if uncommented in the default pf.conf ruleset, it would >allow anyone to use your ftp-proxy due to the following 'pass' rule. > >http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.conf?rev=1.49;content-type=text%2Fplain > >It would be better to prevent such potential abuse by using the >egress interface group. The trouble is the 'on ...' will not allow >the use of parenthesis since it's denoting a group of interfaces >rather than a group of addresses assigned to interfaces. But this >is easily overcome by using 'from (...)' so when the underlying >address(es) change on any interface in the group, the rule will >reevaluated.
What is wrong with the old rule: rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 being converted to: pass in quick on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021 put in a location above any other rule applying to $inf_if ?? The reason I queried whether the 4.7 construct was correct is that it applies to traffic from any to any. Even my suggested rule would not be universal. Maybe there's an ftp server on the LAN. *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
