On Tue, Mar 16, 2010 at 4:49 AM, Dave Anderson <[email protected]> wrote:
> I'm configuring a notebook which will use PF to protect itself from the
> environments in which I use it, and would like to have FTP 'just work'
> on it -- whether it's from an explicit FTP command, from a browser, or
> embedded in some other program or script. Unfortunatly there doesn't
> seem to be any really good way to do this when a system is its own
> firewall; the best tool I've found so far is 'ftpsesame', which
> acknowledges a couple of significant problems (there's no guarantee that
> the PF rules changes it makes will happen in time, and inspecting
> packets 'on the fly' without a full TCP stack is errorprone).
>
> I'd expect this to be a rather common desire; is there a good solution
> that I've missed? Suggestions are very welcome.
For a local snapshot ftp server in my LAN, I use a table with
'approved' ftp servers and only allow passive ftp to these servers.
The table can be updated with pfctl if needed.
table <ftp_sites> {
ftp.openbsd.org
ftp.eu.openbsd.org
anga.funkfeuer.at
ftp.wu-wien.ac.at
ftp.nluug.nl
ftp5.usa.openbsd.org
ftp3.usa.openbsd.org
obsd.cec.mtu.edu
}
# -- sysctl
# net.inet.ip.porthifirst=49152
FTPfirst = 49152
# -- outgoing passive ftp
pass out quick on egress inet proto tcp from egress to <ftp_sites> \
port ftp
pass out quick on egress inet proto tcp from egress port >= 1023
to <ftp_sites> port >= $FTPfirst
For a less rigid approach you could define an anchor and in case you
want to do ftp, populate
the anchor with a variation of the the above rules:
pass out quick on egress inet proto tcp from egress to any \
port ftp
pass out quick on egress inet proto tcp from egress port >= 1023
to any port >= $FTPfirst
After finishing ftp you flush the rules from the anchor.
I know this is not exactly what you asked for ;)
Adriaan
