Re: pf headaches: why won' t it let me fetch from ftp servers?
Dino Vliet wrote:
Dear freebsd list,
I have the following pf.conf file:
tcp_services = { ftp, ssh, domain, www, auth, https }
udp_services = { ftp, domain, ntp }
icmp_types = echoreq
block all
pass inet proto icmp all icmp-type $icmp_types keep state
#pass in proto tcp to any port 22 keep state
pass out proto tcp to any port $tcp_services keep state
#pass out proto tcp to any port 25 keep state
#pass out proto tcp to any port 465 keep state
#pass out proto tcp to any port 587 keep state
pass out proto tcp to any port 5999 keep state
#pass out all keep state
#pass out proto tcp to any keep state
pass out proto udp to any port $udp_services
However,if I try to fetch a file from a ftp server as in the followining
example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ
I get the result: Operation not permitted
My first question is: What is causing this? If I stop pf, then I' m able to
fetch it.
My second question is:Is my ruleset looking fine, as i want to block
everything and only let some specific services go out. Or need t be tightened
more?
BrgdsDino
The ftp protocol is unfortunately not very firewall friendly and it
involves far more ports and connections you have accounted for in your
rules. You should have a look at ftp-proxy(8) and closely study the pf
examples there. I'm sure it will solve your problem.
/Morgan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf headaches: why won' t it let me fetch from ftp servers?
Dear freebsd list,
I have the following pf.conf file:
tcp_services = { ftp, ssh, domain, www, auth, https }
udp_services = { ftp, domain, ntp }
icmp_types = echoreq
block all
pass inet proto icmp all icmp-type $icmp_types keep state
#pass in proto tcp to any port 22 keep state
pass out proto tcp to any port $tcp_services keep state
#pass out proto tcp to any port 25 keep state
#pass out proto tcp to any port 465 keep state
#pass out proto tcp to any port 587 keep state
pass out proto tcp to any port 5999 keep state
#pass out all keep state
#pass out proto tcp to any keep state
pass out proto udp to any port $udp_services
However,if I try to fetch a file from a ftp server as in the followining
example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ
I get the result: Operation not permitted
My first question is: What is causing this? If I stop pf, then I' m able to
fetch it.
My second question is:Is my ruleset looking fine, as i want to block everything
and only let some specific services go out. Or need t be tightened more?
BrgdsDino
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf headaches: why won' t it let me fetch from ftp servers?
On Thu, Jan 7, 2010 at 2:38 PM, Dino Vliet dino_vl...@yahoo.com wrote:
Dear freebsd list,
I have the following pf.conf file:
tcp_services = { ftp, ssh, domain, www, auth, https }
udp_services = { ftp, domain, ntp }
icmp_types = echoreq
block all
pass inet proto icmp all icmp-type $icmp_types keep state
#pass in proto tcp to any port 22 keep state
pass out proto tcp to any port $tcp_services keep state
#pass out proto tcp to any port 25 keep state
#pass out proto tcp to any port 465 keep state
#pass out proto tcp to any port 587 keep state
pass out proto tcp to any port 5999 keep state
#pass out all keep state
#pass out proto tcp to any keep state
pass out proto udp to any port $udp_services
However,if I try to fetch a file from a ftp server as in the followining
example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ
I get the result: Operation not permitted
My first question is: What is causing this? If I stop pf, then I' m able to
fetch it.
My second question is:Is my ruleset looking fine, as i want to block
everything and only let some specific services go out. Or need t be tightened
more?
BrgdsDino
Dino-
Default behavior for FTP is that you open connection to server on port
20 and then server opens a connection back to you on another port,
basically. This means that when you have the firewall active your
blocking this inbound connection on the alternate port. The easiest
way to work around this and to get the security of having a firewall
running is to use PASSIVE mode in your FTP client, which basically
indicates that the client will open a second connection to the server:
$ fetch -p ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ
There's also an environment variable (FTP_PASSIVE_MODE) that you can
set to default to passive FTP. See fetch(3), but basically set it to
anything besides no to set the default.
Cheers,
Ben
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: pf headaches: why won' t it let me fetch from ftp servers?
I'm not all that familiar with pf syntax, but you know ftp uses ports above
1023 right? Is pf stateful by default so it can allow the ports above 1023?
Also, make sure you're using passive (PASV) ftp.
G
-Original Message-
From: owner-freebsd-questi...@freebsd.org
[mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Dino Vliet
Sent: Thursday, January 07, 2010 3:39 PM
To: freebsd-questions@freebsd.org
Subject: pf headaches: why won' t it let me fetch from ftp servers?
Dear freebsd list,
I have the following pf.conf file:
tcp_services = { ftp, ssh, domain, www, auth, https }
udp_services = { ftp, domain, ntp }
icmp_types = echoreq
block all
pass inet proto icmp all icmp-type $icmp_types keep state
#pass in proto tcp to any port 22 keep state
pass out proto tcp to any port $tcp_services keep state
#pass out proto tcp to any port 25 keep state
#pass out proto tcp to any port 465 keep state
#pass out proto tcp to any port 587 keep state
pass out proto tcp to any port 5999 keep state
#pass out all keep state
#pass out proto tcp to any keep state
pass out proto udp to any port $udp_services
However,if I try to fetch a file from a ftp server as in the followining
example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ
I get the result: Operation not permitted
My first question is: What is causing this? If I stop pf, then I' m able to
fetch it.
My second question is:Is my ruleset looking fine, as i want to block everything
and only let some specific services go out. Or need t be tightened more?
BrgdsDino
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system.
/font
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
