Re: pf headaches: why won' t it let me fetch from ftp servers?
Dino Vliet wrote: Dear freebsd list, I have the following pf.conf file: tcp_services = { ftp, ssh, domain, www, auth, https } udp_services = { ftp, domain, ntp } icmp_types = echoreq block all pass inet proto icmp all icmp-type $icmp_types keep state #pass in proto tcp to any port 22 keep state pass out proto tcp to any port $tcp_services keep state #pass out proto tcp to any port 25 keep state #pass out proto tcp to any port 465 keep state #pass out proto tcp to any port 587 keep state pass out proto tcp to any port 5999 keep state #pass out all keep state #pass out proto tcp to any keep state pass out proto udp to any port $udp_services However,if I try to fetch a file from a ftp server as in the followining example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ I get the result: Operation not permitted My first question is: What is causing this? If I stop pf, then I' m able to fetch it. My second question is:Is my ruleset looking fine, as i want to block everything and only let some specific services go out. Or need t be tightened more? BrgdsDino The ftp protocol is unfortunately not very firewall friendly and it involves far more ports and connections you have accounted for in your rules. You should have a look at ftp-proxy(8) and closely study the pf examples there. I'm sure it will solve your problem. /Morgan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf headaches: why won' t it let me fetch from ftp servers?
Dear freebsd list, I have the following pf.conf file: tcp_services = { ftp, ssh, domain, www, auth, https } udp_services = { ftp, domain, ntp } icmp_types = echoreq block all pass inet proto icmp all icmp-type $icmp_types keep state #pass in proto tcp to any port 22 keep state pass out proto tcp to any port $tcp_services keep state #pass out proto tcp to any port 25 keep state #pass out proto tcp to any port 465 keep state #pass out proto tcp to any port 587 keep state pass out proto tcp to any port 5999 keep state #pass out all keep state #pass out proto tcp to any keep state pass out proto udp to any port $udp_services However,if I try to fetch a file from a ftp server as in the followining example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ I get the result: Operation not permitted My first question is: What is causing this? If I stop pf, then I' m able to fetch it. My second question is:Is my ruleset looking fine, as i want to block everything and only let some specific services go out. Or need t be tightened more? BrgdsDino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf headaches: why won' t it let me fetch from ftp servers?
On Thu, Jan 7, 2010 at 2:38 PM, Dino Vliet dino_vl...@yahoo.com wrote: Dear freebsd list, I have the following pf.conf file: tcp_services = { ftp, ssh, domain, www, auth, https } udp_services = { ftp, domain, ntp } icmp_types = echoreq block all pass inet proto icmp all icmp-type $icmp_types keep state #pass in proto tcp to any port 22 keep state pass out proto tcp to any port $tcp_services keep state #pass out proto tcp to any port 25 keep state #pass out proto tcp to any port 465 keep state #pass out proto tcp to any port 587 keep state pass out proto tcp to any port 5999 keep state #pass out all keep state #pass out proto tcp to any keep state pass out proto udp to any port $udp_services However,if I try to fetch a file from a ftp server as in the followining example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ I get the result: Operation not permitted My first question is: What is causing this? If I stop pf, then I' m able to fetch it. My second question is:Is my ruleset looking fine, as i want to block everything and only let some specific services go out. Or need t be tightened more? BrgdsDino Dino- Default behavior for FTP is that you open connection to server on port 20 and then server opens a connection back to you on another port, basically. This means that when you have the firewall active your blocking this inbound connection on the alternate port. The easiest way to work around this and to get the security of having a firewall running is to use PASSIVE mode in your FTP client, which basically indicates that the client will open a second connection to the server: $ fetch -p ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ There's also an environment variable (FTP_PASSIVE_MODE) that you can set to default to passive FTP. See fetch(3), but basically set it to anything besides no to set the default. Cheers, Ben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: pf headaches: why won' t it let me fetch from ftp servers?
I'm not all that familiar with pf syntax, but you know ftp uses ports above 1023 right? Is pf stateful by default so it can allow the ports above 1023? Also, make sure you're using passive (PASV) ftp. G -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Dino Vliet Sent: Thursday, January 07, 2010 3:39 PM To: freebsd-questions@freebsd.org Subject: pf headaches: why won' t it let me fetch from ftp servers? Dear freebsd list, I have the following pf.conf file: tcp_services = { ftp, ssh, domain, www, auth, https } udp_services = { ftp, domain, ntp } icmp_types = echoreq block all pass inet proto icmp all icmp-type $icmp_types keep state #pass in proto tcp to any port 22 keep state pass out proto tcp to any port $tcp_services keep state #pass out proto tcp to any port 25 keep state #pass out proto tcp to any port 465 keep state #pass out proto tcp to any port 587 keep state pass out proto tcp to any port 5999 keep state #pass out all keep state #pass out proto tcp to any keep state pass out proto udp to any port $udp_services However,if I try to fetch a file from a ftp server as in the followining example:fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/bash/FAQ I get the result: Operation not permitted My first question is: What is causing this? If I stop pf, then I' m able to fetch it. My second question is:Is my ruleset looking fine, as i want to block everything and only let some specific services go out. Or need t be tightened more? BrgdsDino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org