Re: ftp-proxy, and one nic: oh my...

[frederick thomas]

thanks for writing back,
  i know that you're busy so...

ifconfig -a
vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
inet6 fe80::250:8dff:fe5a:18a0%vr0 prefixlen 64 scopeid 0x1
inet 69.205.XX.122 netmask 0xf000 broadcast 255.255.255.255
ether 00:50:8d:5a:18:a0
media: Ethernet autoselect (10baseT/UTP)
status: active
plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500
pflog0: flags=141UP,RUNNING,PROMISC mtu 33208
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
pfsync0: flags=0 mtu 2020


i can surf and telnet; i took out the quick keyword but i'm still only
logging rule 4. i'm still new at tcp/ip and services so how do i make an
exception to my isp's dhcp server?  you can see from above my
nic's address is not a 10.mumble. i read your paper and the manpage for
ftp-proxy so maybe i should roll
back to a less strict ruleset. btw i really like pf, for a newbie it has
an easy curve for learning. once i get this running i'll install a
second nic and try to do the invisible bridge thing. i want to go into
security so i need to get this right. thanks again.

nikita
-- 
  frederick thomas
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
  love email again

ftp-proxy, and one nic: oh my...

[frederick thomas]

i'm running freebsd 5.4 with only one nic(single user until i get a
router) so i don't think i can do nat. i've have had no luck in getting
damn thing to ftp. i added to the /etc/inetd.conf file the line
ftp-proxy:  
stream  tcp nowait  root/usr/libexec/ftp-proxy  ftp-proxy

and my /etc/pf.conf so far:

extif = vr0   

tcpservices = { 20, 21, 25, 53, 67, 68, 80, 110, 123, 546, 631 }   

udpservices = { 20, 21, 25, 53, 67, 68, 80, 110, 123, 546, 631 }   

dhcp = 10.118.160.1   

icmptypes = echoreq

privnets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

scrub in all

rdr pass on $extif proto tcp from any to any port 21 - 127.0.0.1 port
8021

block all

block drop in  log quick on $extif from $privnets to any

block drop out log quick on $extif from any to $privnets

block drop in  log quick on $extif proto icmp all

pass quick on lo0

pass out quick log on $extif proto udp from ($extif) port 68 to $dhcp   
port 67 keep state

pass in  quick log on $extif proto udp from ($dhcp)  port 67 to ($extif)
port 68 keep state

pass out quick on $extif proto tcp from ($extif) to any port
$tcpservices keep state

pass out quick on $extif proto udp from ($extif) to any port
$udpservices keep state

pass out inet proto icmp all icmp-type $icmptypes keep state

pass out quick on $extif inet proto udp from any to any port 22:23 keep
state

pass in quick on $extif inet proto udp from any to any port 22:23 keep
state

pass out quick on $extif inet proto tcp from any to any port 22:23 keep
state

pass in quick on $extif inet proto tcp from  any to ($extif) user proxy
keep state

i really hate asking for help but i've exhausted every site and faq on
web and it all
points to nat so do i have to install a dummy card to get this to work
or can i just 
adjust the rule set? lastly as you can see from my conf i'm trying to
log all rfc 1918
addresses and my isp's dhcp server in bound but so far i only get rule
four(4) to log
the expansion of the privnets macro any help would be appreciated
greatly. peace


*is this the door where i came in?
-- 
  frederick thomas
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
  unladen european swallow