Hello Jeremy (et. al.): We found the issue and I wanted to share the solution.
As before, this rule worked as expected:
# --
pass in quick on $vlan2_if inet proto tcp from any to <ftp_servers> port { ftp,
49152:65535 } modulate state flags S/SA
# --
However, when the following rule was in place, we couldn't get any ftp traffic
to the ftp servers. We tried modifying the rule by replacing ! <ftp_servers>
with individual IP's and server macros, but nothing seemed to fix it. However,
when we removed the rule entirely, we could ftp to the servers, but we could
also ftp to the PF devices themselves, which was not what we wanted.
#--
block in log quick on $vlan2_if proto tcp from any to ! <ftp_servers> port 21
#--
Next, we tried this rule, but we experienced the same results.
#--
block in log quick on $vlan2_if proto tcp from any to any port 21 flags S/SA
#--
Finally, we had success.
#--
block in log on $vlan2_if proto tcp from any to <firewall> port 21 flags S/SA
#--
Where
#--
table <firewall> const { self }
#--
This allows ftp traffic through the PF firewall to the ftp servers but
disallows ftp connections to the PF devices themselves. which are allowed to
pass with
#--
pass in quick on $vlan2_if proto tcp from any to <ftp_servers> port { ftp,
49152:65535 } modulate state flags S/SA
#--
Thanks again to Jeremy for the various rules and the explanation of ftp
methodology, without which we would have gotten stuck with the 49152:65535 port
range requirements.
Regards,
Mike
PGP.sig
Description: PGP signature
