Sorry for less information..
Now I'm in Inhouse Network (em1) and try to connect to Staging Network (em2).
When use passive ftp.. there are errors like this..
1144651969.072458 rule 0/(match) block in on em1: 192.168.1.181.1366 >
192.168.202.71.1326: S 2656931431:2656931431(0) win 65535 <mss
1460,nop,nop,sackOK> (DF)
1144651971.932291 rule 0/(match) block in on em1: 192.168.1.181.1366 >
192.168.202.71.1326: S 2656931431:2656931431(0) win 65535 <mss
1460,nop,nop,sackOK> (DF)
1144651977.967393 rule 0/(match) block in on em1: 192.168.1.181.1366 >
192.168.202.71.1326: S 2656931431:2656931431(0) win 65535 <mss
1460,nop,nop,sackOK> (DF)
Thanks,
Thitiporn
On 4/10/06, IMS <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I'm trying to write ftp rules with pf.
> Now I found an error while transfer data with ftp passive mode (ftp-proxy).
>
> ################################################################
>
> # macros
> net_if = "em0"
> inh_if = "em1"
> stg_if = "em2"
>
> icmp_types = "echoreq"
>
> # options
> set block-policy drop
> set loginterface $stg_if
> set skip on lo0
>
> # scrub
> scrub in all
>
> # Bandwidth Shaping
> ## For Inhouse -> Staging
> altq on $stg_if priq bandwidth 45Mb \
> queue{stg-ssh, stg-www, stg-rdp, stg-newscenter, stg-other}
>
> queue stg-ssh priority 14 priq
> queue stg-www priority 13 priq
> queue stg-rdp priority 12 priq
> queue stg-newscenter priority 11 priq
> queue stg-other priority 10 priq(default)
>
> ## For Staging -> Inhouse
> altq on $net_if priq bandwidth 45Mb \
> queue{net-dns, net-ssh, net-www, net-rdp, net-newscenter, net-other}
>
> queue net-dns priority 14 priq
> queue net-ssh priority 13 priq
> queue net-www priority 12 priq
> queue net-rdp priority 11 priq
> queue net-newscenter priority 10 priq
> queue net-other priority 9 priq(default)
>
> # nat/rdr
> nat on $net_if from $stg_if:network to any -> ($net_if)
> # FTP RULES
> rdr on $stg_if proto tcp from any to any port {20, 21} -> 127.0.0.1 \
> port 8021
> rdr on $inh_if proto tcp from any to any port {20, 21} -> 127.0.0.1 \
> port 8021
>
> # filter rules
> block drop log all
>
> # Allow Ping
> pass in inet proto icmp all icmp-type $icmp_types modulate state
>
> ## Staging -> Net ##
> # Time-Sync #
> pass in on $stg_if inet proto udp from any to ($stg_if) \
> port ntp modulate state label "Time-Sync" queue net-other
> # SSH For Administrator #
> pass in on $stg_if inet proto tcp from any to ($stg_if) \
> port 22 flags S/SA modulate state label "SSH Admin" queue net-ssh
> # FTP Proxy For Staging -> Net #
> pass in on $stg_if inet proto tcp from $stg_if:network \
> to any port 8021 modulate state label "Staging -> Net: FTP" queue net-other
> # FTP Data Port From Net -> Staging #
> pass in on $net_if inet proto tcp from port 20 to ($net_if) \
> user proxy flags S/SA modulate state label "Staging -> Net: FTP
> Data" queue net-other
> # HTTP #
> pass in on $stg_if inet proto tcp from $stg_if:network \
> to !$inh_if:network port {80, 443} modulate state label "Staging ->
> Net: HTTP" queue net-www
> # DNS #
> pass in on $stg_if inet proto {tcp, udp} from $stg_if:network \
> to !$inh_if:network port 53 modulate state label "Staging -> Net:
> DNS" queue net-dns
> # PRS #
> pass in on $stg_if inet proto tcp from $stg_if:network \
> to !$inh_if:network port 52001 modulate state label "Staging ->
> Net: PRS" queue net-other
> pass in on $stg_if inet proto tcp from $stg_if:network \
> to !$inh_if:network port 52101 >< 52300 modulate state label
> "Staging -> Net: PRS" queue net-other
> # POP3 & SMTP #
> pass in on $stg_if inet proto tcp from $stg_if:network \
> to !$inh_if:network port {110, 25} modulate state label "Staging ->
> Net: POP3,SMTP" queue net-other
> # KIMENG FEED #
> pass in on $stg_if inet proto tcp from $stg_if:network \
> to !$inh_if:network port 8089 modulate state label "Staging -> Net:
> KIMENG" queue net-other
> # ASPEN-JACC #
> pass in on $stg_if inet proto tcp from $stg_if:network \
> to !$inh_if:network port 1751 modulate state label "Staging -> Net:
> ASPEN" queue net-other
>
> ## Inhouse -> Staging ##
> # SSH For Administrator #
> pass in on $inh_if inet proto tcp from any to ($inh_if) \
> port 22 flags S/SA modulate state label "SSH Admin" queue stg-ssh
> # FTP Proxy For Inhouse -> Staging #
> pass in on $inh_if inet proto tcp from $inh_if:network \
> to any port 8021 flags S/SA modulate state label "Inhouse ->
> Staging: FTP" queue stg-other
> # FTP Data Port From Staging -> Inhouse #
> pass in on $stg_if inet proto tcp from port 20 to ($stg_if) \
> user proxy flags S/SA modulate state label "Inhouse -> Staging: FTP
> Data" queue stg-other
> # SSH #
> pass in on $inh_if inet proto {tcp, udp} from $inh_if:network \
> to $stg_if:network port 22 modulate state label "Inhouse ->
> Staging: SSH" queue stg-other
> # HTTP #
> pass in on $inh_if inet proto {tcp, udp} from $inh_if:network \
> to $stg_if:network port {80, 443} modulate state label "Inhouse ->
> Staging: HTTP" queue stg-www
> # REMOTE DESKTOP #
> pass in on $inh_if inet proto {tcp, udp} from $inh_if:network \
> to $stg_if:network port 3389 modulate state label "Inhouse ->
> Staging: REMOTE DESKTOP" queue stg-rdp
> # NEWSCENTER #
> pass in on $inh_if inet proto {tcp, udp} from $inh_if:network \
> to $stg_if:network port {27000, 27001} modulate state label
> "Inhouse -> Staging: NEWSCENTER" queue stg-newscenter
> # ASPEN-DEMO #
> pass in on $inh_if inet proto {tcp, udp} from $inh_if:network \
> to $stg_if:network port {1749, 30000, 30001} modulate state label
> "Inhouse -> Staging: ASPEN-DEMO" queue stg-other
> # DVR #
> pass in on $inh_if inet proto {tcp, udp} from $inh_if:network \
> to $stg_if:network port 9001 modulate state label "Inhouse ->
> Staging: DVR" queue stg-other
>
> ## DEFAULT RULE ##
> pass out on $inh_if from any to any modulate state label "Total Inhouse"
> pass out on $stg_if from any to any modulate state label "Total Staging"
> pass out on $net_if from any to any modulate state label "Total Net"
>
>
> ################################################################
>
>
> If I connect ftp using active mode, there is no problem.
> Did I need to open more rules?
>
> Thanks,
> Thitiporn
>
