> # SSH from NetEng subnet > pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port > 22 keep state > > # Allow inside network to ping the server > pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state > > # Allow DNS lookups > pass out quick on $ext_if proto udp to any port 53 > pass out quick on $ext_if proto tcp to any port 53 keep state > > # Allow ftp > pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep state > pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep state > pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP > port 20 keep state > > --- end of pf.conf ----------------------
To prevent problems with TCP window scaling you should create state on only the first packet of the 3 way TCP handshake, the packet with only the Syn flag set. With pf you do this by using 'keep state flags S/SA". This TCP window scaling issue is explained by Daniel Hartmeier, pf hacker, in http://undeadly.org/cgi?action=article&sid=20060928081238 under the section "Create TCP states on the initial SYN packet" BTW I wonder why you don't use the pf ftp-proxy, and why you allow active ftp transfers ;) _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
