Hi list,
I've seen a lot of people using ftp-proxy in their pf.conf's thought their
servers are only ftp servers (not clients) and are self-defending (there are
no any firewalls in front of them to defend them). But I've been reading PF
FAQ and got a little bit confusing... From PF FAQ:
"Please note that ftp-proxy(8) is to help FTP clients behind a PF filter; it
is not used to handle an FTP server behind a PF filter."
So if I understand correctly I don't need ftp-proxy for self-defending ftp
server and this pf.conf is good:
ext_if="xl0"
good_host="xxx.xxx.xxx.xxx"
table <private_ips> { 10/8, 172.16/12, 192.168/16 } const persist
table <bad_hosts> { }
set loginterface xl0
set optimization normal
set limit { states 10000, frags 5000, src-nodes 10000 }
set block-policy drop
set state-policy if-bound
set debug urgent
scrub all fragment reassemble no-df random-id
block log quick on $ext_if from <private_ips>
block log quick from <bad_hosts>
block log quick from any to 255.255.255.255
antispoof log quick for { lo0, $ext_if }
block out log quick on $ext_if from !$ext_if to any
block log all
pass in log-all quick on $ext_if inet proto tcp from $good_host to $ext_if
port ssh flags S/SA modulate state
pass in log-all quick on $ext_if inet proto icmp from $jt_ext_ip to $ext_if
modulate state
pass out log-all on $ext_if inet proto icmp from $ext_if to any modulate
state
pass in log-all on $ext_if inet proto tcp from any to $ext_if port ftp flags
S/SA modulate state (max-src-conn-rate 100/10, overload <bad_hosts> flush
global)
pass out log-all on $ext_if inet proto tcp from $ext_if port ftp-data to any
modulate state
pass in log-all on $ext_if inet proto tcp from any to $ext_if port
65435:65535 modulate state
Or do I need ftp-proxy? Please help me to clear this out.
