[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP clients behind PF can connect to ftp serves but cannot listfileswhy?



change your pass in rule to quick or move the rule beneath your block in rule


-- clint Cryptek, Inc.


Mipam wrote:


On Sun, 3 Oct 2004, Peter Matulis wrote:

 > > Output from pflog0:
 > >
 > > 4. 422299 rule 1/0(match): block in on wm0: IP (tos
 > > 0x0, ttl 242, id
 > > 58380, offset 0, flags [DF], length: 44, bad cksum
 > > d0ab (->2145)!)
 > > 129.128.5.191.20 > 82.161.169.153.55674: S [tcp sum
 > > ok]
 > > 693991520:693991520(0) win 8760 <mss 1460>
 > >
 > > Any hints?
 >
 > Maybe supply your pf.conf

Sorry for the late response.
The config in this case is very simple, no top security, and
internal machines may sent out anything.
As for this network, i am running no internal services, which makes
it even more simple.

################# pf.conf ############################
ext_if="wm0"
int_if="wm1"

set limit { states 20000, frags 10000, src-nodes 2000 }
set block-policy drop
set state-policy floating

scrub on $ext_if all fragment reassemble reassemble tcp random-id

nat on $ext_if from 10.1.1.0/24 to any -> ($ext_if:0)

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
pass in on $ext_if inet proto tcp from any port 20 \
        to $ext_if port 55000 >< 57000 user proxy \
        flags S/SA keep state

block in on $ext_if

pass out on $ext_if modulate state
########## end of pf.conf ############################