[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP clients behind PF can connect to ftp serves but cannotlistfiles why?



On Mon, 4 Oct 2004, Clinton Sigmon wrote:
> change your pass in rule to quick or move the rule beneath your block in 
> rule
Thanks, of course that worked.
I am ashamed of myself not realising this before.
Last rule match ..
I removed the from any port 20, cause some ftp servers are also
behind nats/firewalls.
Bye,
Mipam.
> 
> 
> -- 
> clint
> Cryptek, Inc.
> 
> 
> Mipam wrote:
> 
> > On Sun, 3 Oct 2004, Peter Matulis wrote:
> > 
> >  > > Output from pflog0:
> >  > >
> >  > > 4. 422299 rule 1/0(match): block in on wm0: IP (tos
> >  > > 0x0, ttl 242, id
> >  > > 58380, offset 0, flags [DF], length: 44, bad cksum
> >  > > d0ab (->2145)!)
> >  > > 129.128.5.191.20 > 82.161.169.153.55674: S [tcp sum
> >  > > ok]
> >  > > 693991520:693991520(0) win 8760 <mss 1460>
> >  > >
> >  > > Any hints?
> >  >
> >  > Maybe supply your pf.conf
> > 
> > Sorry for the late response.
> > The config in this case is very simple, no top security, and
> > internal machines may sent out anything.
> > As for this network, i am running no internal services, which makes
> > it even more simple.
> > 
> > ################# pf.conf ############################
> > ext_if="wm0"
> > int_if="wm1"
> > 
> > set limit { states 20000, frags 10000, src-nodes 2000 }
> > set block-policy drop
> > set state-policy floating
> > 
> > scrub on $ext_if all fragment reassemble reassemble tcp random-id
> > 
> > nat on $ext_if from 10.1.1.0/24 to any -> ($ext_if:0)
> > 
> > rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> > pass in on $ext_if inet proto tcp from any port 20 \
> >         to $ext_if port 55000 >< 57000 user proxy \
> >         flags S/SA keep state
> > 
> > block in on $ext_if
> > 
> > pass out on $ext_if modulate state
> > ########## end of pf.conf ############################
> > 
>