On Thu, Jan 7, 2010 at 2:37 PM, J65nko <[email protected]> wrote: >> # SSH from NetEng subnet >> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port >> 22 keep state >> >> # Allow inside network to ping the server >> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state >> >> # Allow DNS lookups >> pass out quick on $ext_if proto udp to any port 53 >> pass out quick on $ext_if proto tcp to any port 53 keep state >> >> # Allow ftp >> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep state >> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep >> state >> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP >> port 20 keep state >> >> --- end of pf.conf ---------------------- > > To prevent problems with TCP window scaling you should create state on > only the first packet > of the 3 way TCP handshake, the packet with only the Syn flag set. > > With pf you do this by using 'keep state flags S/SA". > > This TCP window scaling issue is explained by Daniel Hartmeier, pf > hacker, in http://undeadly.org/cgi?action=article&sid=20060928081238 > under the section > "Create TCP states on the initial SYN packet" > > BTW I wonder why you don't use the pf ftp-proxy, and why you allow > active ftp transfers ;) >
Changed the three ftp pass rules to "flags S/SA"; still no love. I was not using the proxy because there is no NAT involved. I will try adding the pf ftp-proxy. I am forced by user requirments to allow active transfers. Thanks for all of the input! _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
