On Thu, Jan 7, 2010 at 2:38 PM, Dino Vliet <[email protected]> wrote: > Dear freebsd list, > I have the following pf.conf file: > tcp_services = "{ ftp, ssh, domain, www, auth, https }" > udp_services = "{ ftp, domain, ntp }" > icmp_types = "echoreq" > block all > pass inet proto icmp all icmp-type $icmp_types keep state > #pass in proto tcp to any port 22 keep state > pass out proto tcp to any port $tcp_services keep state > #pass out proto tcp to any port 25 keep state > #pass out proto tcp to any port 465 keep state > #pass out proto tcp to any port 587 keep state > pass out proto tcp to any port 5999 keep state > #pass out all keep state > #pass out proto tcp to any keep state > pass out proto udp to any port $udp_services > > However,if I try to fetch a file from a ftp server as in the followining > example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ > I get the result: Operation not permitted > My first question is: What is causing this? If I stop pf, then I' m able to > fetch it. > My second question is:Is my ruleset looking fine, as i want to block > everything and only let some specific services go out. Or need t be tightened > more? > BrgdsDino
Dino- Default behavior for FTP is that you open connection to server on port 20 and then server opens a connection back to you on another port, basically. This means that when you have the firewall active your blocking this inbound connection on the alternate port. The easiest way to work around this and to get the security of having a firewall running is to use "PASSIVE" mode in your FTP client, which basically indicates that the client will open a second connection to the server: $ fetch -p ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ There's also an environment variable (FTP_PASSIVE_MODE) that you can set to default to passive FTP. See fetch(3), but basically set it to anything besides "no" to set the default. Cheers, Ben _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
