Hello,
Happy new year to everyone.
I've got a FreeBSD 6.x machine acting as an ftp client using ncftp. It's
connecting to a server with passive off set in the .ncftp/prefs_v3 file.
Both the FreeBSD client box and the lan are protected by an OpenBSD machine
running pf and ftp-proxy, the fbsd box also runs pf. On both machines' the
pf is set to default deny. On the client box i can connect to the ftp
server, but trying anything times out the data connection. If i set the
client's firewall to pass all the connection works fine, which tells me that
the lan gateway's pf setup is fine, it's the client pf config where the
issue is. I've included my rules for ftp below. If anyone can tell me a fix
for this i'd appreciate it, i don't like the idea of setting the firewall to
pass all when i connect to ftp servers.
Thanks.
Dave.
pf.conf:
ext_if = "vr0"
tcp_services = "{ ftp-data, ftp, ssh, smtp, www, pop3, imap, https, smtps,
rsync, pop3s, imaps, 8000, 11371 }"
tcp_state = "flags S/SA keep state"
set optimization normal
set block-policy return
set fingerprints "/etc/pf.os"
set skip on lo0
scrub in on $ext_if
block log all
# allow tcp services
pass in quick on $ext_if inet proto tcp from any to any port $tcp_services
$tcp_state (max-src-conn 10, max-src-conn-rate 5/3, overload <bruteforce>
flush global)
# allow tcp services out
pass out quick on $ext_if inet proto tcp from $ext_if to any port
$tcp_services $tcp_state
# ftp
pass out quick on $ext_if inet proto tcp from $ext_if to any port > 49151
$tcp_state
