Hi list,
I'm currently setting up a replacement
firewall.
This mashine must be able to do ftp requests for
the clients, and for it self.
In the inetd I added a line :
127.0.0.1:8081 stream tcp nowait root
/usr/libexec/ftp-proxy ftp-proxy -m 12000 -M 14000 -t 300
My pf.conf file looks like this one :
webmin="10000" firewall="EXTIP" local="127.0.0.1/8" set loginterface sf0
# We're using realy cool Quartett66 NIC from
intel
set limit states 100000 # Enable ftp connections with proxy
rdr proto tcp from $firewall to any port 21 -> 127.0.0.1 port 8081 rdr proto tcp from $local to any port 21 -> 127.0.0.1 port 8081 # default is block
block in all block out all # from any to any = all
# allow local loop-back traffic
pass out from $local to any keep state pass in from any to $local keep state # Allow outgoing DNS queries
pass out proto udp from $firewall to any port domain keep state # Allow outgoing ntp queries
pass out proto { udp , tcp } from $firewall to any port ntp keep state # Allow outgoing alive checks via ping
pass out proto icmp from $firewall to any icmp-type 8 code 0 keep state # Allow ftp sessions
pass out proto tcp from $firewall to any port ftp keep state pass out proto tcp from $firewall to any port ftp-data keep state pass out proto tcp from $local to any port ftp keep state pass out proto tcp from $local to any port ftp-data keep state pass in proto tcp from any to $firewall port 12000 >< 14000 keep state # Allow ssh sessions to other hosts
pass out proto tcp from $firewall to any port $ssh keep state # Allow ssh connections to this host
pass in log proto tcp from any to $firewall port $ssh keep state # Allow webmin connections to this host
pass in log proto tcp from any to $firewall port $webmin keep state # Allow outgoing smtp connections
(sendmail)
pass out log proto tcp from $firewall to any port smtp keep state pass out log proto tcp from $local to any port smtp keep state But that seems not to work, if do a pfctl -d, ftp
works fine.
Every thing else does, as expected
Something wrong ?
Are the rules related to ftp-data irrelevant
?
Thx in advance
Stefan Sonnenberg-Carstens
RHCE & System-/Netzwerkadministrator --------------------------------------------------------- CoolSpot AG Am Albertussee 1 D-40549 Düsseldorf Tel +211 50 66 1-0 Fax +211 50 66 1-11 http://www.coolspot.de - -------------------------------------------------------- Roland Bongartz
(vors.)
Sabine Schmidt-Pischner (LL.M.) Aufsichtsrat:
Dr. jur. Marco Picozzi (Vorsitzender), Prof. Dr.-Ing. Karl Friedrich Triebold, Heiko Hubertz Amtsgericht Düsseldorf HRB
37696
|
- Re: Am I too dull for ftp-proxy ? Stefan Sonnenberg-Carstens
- Re: Am I too dull for ftp-proxy ? Daniel Hartmeier
- Re: Am I too dull for ftp-proxy ? Stefan Sonnenberg-Carstens
- Re: Am I too dull for ftp-proxy ? Daniel Hartmeier