Hi, I am trying to setup an (mostly) isolated network to clean infected PCs. Based on my personal judgment of security vs. convenience I would like to allow the clients to use certain web and ftp sites.
Web site access is controlled via squid (transparent). Ftp access works in active mode via ftp-proxy. Passive mode does *not* work since I block client traffic not going to the proxies via pf. Problem is that most web browsers I deal with these days use passive mode. I would prefer not to change these browser settings (if they can be changed). So and now finally to the question: Is it possible to create conditional pf rules to pass certain traffic to a host *after* a connection to a specific port on the same host has been made? So, a client is connecting to ftp.host.net on default port 21. Hence, pf allows the same client to connect to other ports on that host. I've read "man pf.conf" and thought that tables or tags *might* work for this. Tables: How do I *automatically* add hosts to tables? Tags: How can I use a tag on different packets? For both: How do I set an inactivity timeout to undo those changes automatically? Have I missed something? Any other ideas? This isn't really critical of course, but I thought I'd ask the list before I give up on this thought. The OpenBSD gateway is running 3.7-stable/sparc64. Thanks! -Jason
