Query about pf.conf

2009-10-01 Thread AG 

Hello

I want to see why I am unable to download via ftp.  I believe that it 
would have something to do with my pf.conf file in my firewall, so have 
listed that below.


### simple pf.conf ##
# allow all outgoing TCP, UDP
# allow outgoing ICMP ping
# specifically block 11 common inet services
# Modified for nntp and bittorrent
#


# MACRO
ext_if = rl0
int_if = vr0
PING = echoreq
allow_tcp = { 119 }  #Port needed for nntp server

#IntNet = 192.168.1.0/24  #Sub-net range
#InBitTCP = { 6969, 6881:6889 }   #Ports needed for BitTorrent
#BitIP = 192.168.1.40 #BitTorrent client

tcp_services = { smtp, pop3, pop3s, www, msa, https, ftp, whois, ssh, 
telnet, rsync }

udp_services = { domain }


# OPTIONS:
set block-policy drop
set optimization normal
set loginterface $ext_if

# SCRUB:
scrub in on $ext_if all

# NAT/RDR
nat on $ext_if from $int_if:network to any - $ext_if

#nat on $ext_if proto tcp from $IntNet port $InBitTCP to any - $ext_if \
static-port 
#nat on $ext_if proto udp from $IntNet port $InBitTCP to any - $ext_if \

static-port
#rdr on $ext_if proto tcp from !$IntNet to any port 6969 - $BitIP port 
6969

#rdr on $ext_if proto udp from !$IntNet to any port 6881:6889 - $BitIP \
port 6881:6889

# filter:

block log on $ext_if all

#pass in quick on $ext_if inet proto tcp from any to any port $InBitTCP \
flags S/SA synproxy state
#pass in quick on $ext_if inet proto udp from any to any port $InBitTCP

#pass out on $int_if inet proto tcp from any to $IntNet port 
$port_bittorrent \

flags S/SA synproxy state
#pass out on $int_if inet proto udp from any to $IntNet port 
$port_bittorrent


pass quick on lo0 all

pass out on $ext_if proto tcp from any to any port $allow_tcp keep state

pass out quick on $ext_if inet proto tcp from \
   { $ext_if:network, $int_if:network } to any port $tcp_services keep 
state


pass out quick on $ext_if inet proto udp from \
   { $ext_if:network, $int_if:network } to any port $udp_services keep 
state


pass out quick on $ext_if inet proto icmp from \
   { $ext_if:network, $int_if:network } to any icmp-type $PING keep state

antispoof for $ext_if
antispoof for $int_if

 /etc/pf.conf ends ##

Can anyone shine a light on this to help me out please?

Many TIA.

AG
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Query about pf.conf

2009-10-01 Thread Tim Judd 
ftp-proxy(8)

please read.  Especially the configuration section.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Query about pf.conf

2009-10-01 Thread krad 
2009/10/1 Tim Judd taj...@gmail.com

 ftp-proxy(8)

 please read.  Especially the configuration section.
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to 
 freebsd-questions-unsubscr...@freebsd.org


does passive ftp work? If so then yes read ftp-proxy. Basically normal or
active ftp requires the ftp server to connect back to the client. Therefore
the firewall needs to know to forward this connection on. ftp-proxy does
this for you
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org