Hi all.
@ the end of this email is my complete pf.conf file.
I'm running -CURRENT from Fri Nov 21
I know I'm behind,.. cvs up is running
I have a major problem with my pf setup and I cannot find my answer
anywhere.
1. Hosts out on the internet cannot passive ftp to my server. And a lot
that connect to my machine using active FTP get the error "Won't open
connection to (put any internal range here ppl have on their lan)"
I really would like to see ppl be able to use passive ftp when
connecting/downloading from my server.
The ftp server is running on the same machine as pf. Don't have
resources to setup a DMZ host.
Can someone please help me ?
pf.conf:
(some lines are wrapped over 2 lines, my email client does that.)
#################################################################
# macro definitions
ext_if = "xl0"
int_if = "rl0"
int_net = "192.168.2.0/24"
nat_p = "{tcp, udp, icmp}"
no_go_ip = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12}"
#################################################################
# options: "set"
set loginterface xl0
set limit { frags 30000, states 25000 }
#################################################################
# scrub rules: "scrub"
scrub in on $ext_if all fragment reassemble
altq on $ext_if cbq bandwidth 1000Kb queue { def, ftp-inet, prio-inet }
queue def bandwidth 100% cbq(default)
queue ftp-inet bandwidth 200Kb cbq(ecn)
queue prio-inet bandwidth 320Kb cbq { prio-inet-def, prio-inet-pri }
queue prio-inet-def priority 0
queue prio-inet-pri priority 7
#################################################################
# NAT rules: "rdr", "nat", "binat"
nat on $ext_if proto $nat_p from $int_net to any -> $ext_if
#ftp proxy
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#################################################################
# filtering rules: "antispoof", "block", "pass"
# block and log everything by default
block out log on $ext_if all label logall-tcp-out
block in log on $ext_if all label logall-tcp-in
block return-rst out log on $ext_if proto tcp all
block return-rst in log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in log on $ext_if proto udp all
# antispoofing stuff
# silently drop broadcasts (cable modem noise)
block in log quick on $ext_if from any to 255.255.255.255 label noise
# block and log incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
block in log on $ext_if inet from $no_go_ip to $ext_if label nogoip
block out log on $ext_if inet from any to $no_go_ip label nogoip
# ICMP
# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state \
queue (prio-inet-def,prio-inet-pri) label icmp-type-8
# UDP
# pass out all UDP connections and keep state
pass out on $ext_if inet proto udp all keep state queue \
(prio-inet-def,prio-inet-pri)
# pass in certain UDP connections and keep state (DNS)
pass in on $ext_if proto udp from any to any port domain keep state
# TCP
pass out on $ext_if inet proto tcp all flags S/SA modulate state \
queue (prio-inet-def,prio-inet-pri)
pass out on $ext_if inet proto tcp from any port { ftp, ftp-data } \
modulate state
# pass in certain TCP connections and keep state (SSH, FTP, IDENT, WWW)
pass in on $ext_if proto tcp from any to any port { ssh, auth, www, 443,
smtp, imap, pop3, ftp, ftp-data, domain, rsync } flags S/SA keep state \
queue (prio-inet-def,prio-inet-pri)
pass in on $ext_if proto tcp from any to any port { domain } \
flags S/SA keep state
# allow all on internal
pass in on $int_if all
pass out on $int_if all
