On Thu, Nov 4, 2010 at 10:27 PM, onteria <[email protected]> wrote: > I'm currently working on locking down one of my machines with pf. > Right now it has a default deny policy and FTP is causing issues. I did > a search on how to around FTP oddities using ftp-proxy, but from what I > understand this requires an internal interface to work, which this > system doesn't have since it's behind a netgear router.
Sounds like your netgear router is handling the NATing and your obsd box is simply a client (single NIC) on the network. Is this correct or am I misreading your description? If correct, you are over-complecating things and do not need ftp-proxy. With pf disabled is FTP working OK? --patrick > Is there something like ftp-proxy for external interface only setups > that uses anchors to rewrite rules on the fly? > > Another option I thought of is making a wrapper script around ftp or > whatever the command line client was that would take in the hostname as > the first argument, and the rest of the arguments would be passed to > whatever the client was. The first call to the script would use pfctl to > add the server to a table, which would then have a lenient ruleset for > any FTP server in that table. Once the command is done running, pfctl > would remove that server from the table. I'm wondering if this would be > a good idea. > > PS: Yes, I plan to setup an OpenBSD router at some point so this > doesn't become an issue. Unfortunately I'm saving up for something at > the moment, so even a cheap router off Ebay is out of the question right > now :) > > - Onteria
