[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can't even do an ls on a FTP server located on the WAN



On Wed, Feb 16, 2005 at 08:47:37AM +0100, Nicolas wrote:
> 
> You're right, everything is blocked by default on the bastion, not just
> inbound but also outbound! What ports, hosts and direction should I
> allow, in your opinion?
  welp, i still don't have the answer about why ftp-proxy tried to make
  a connection out that was blocked -- i block all by default also, 
  in and out, so if ftp-proxy is trying to make an outbound connection
  on my setup just like it is on yours, it is getting allowed by
  some other rule.
  if you wanted to just be quick and easy about it, you could just
  use a rule that allows all sockets owned by user proxy, regardless
  of direction:
pass on $e inet proto tcp all user proxy keep state flags S/SA label "ftp-proxy"
  maybe you'd need quick to conform to the logic of your ruleset.
  or you could again just check the pflog to find the instance of the
  time ftp-proxy got blocked, assuming you're logging all blocks.  
  still seems to me that the one from before to your auth port 113
  wasn't really the one that ftp-proxy got blocked on.
  jared
-- 
[ openbsd 3.6 GENERIC ( jan 13 ) // i386 ]