Hi, I'm going to university in one week and the university explicitly says that only one computer (including hardware routers/firewalls) may be connected to their network; hence, I must run PF on my workstation.
I'm running default deny for both outgoing and incoming packets. The problem is that PF cannot determine which port is going to be used as the data port for the FTP transfer (i.e. which port has been negotiated by my FTP client, ftp, and the servers FTP server). I know ftp-proxy is used usually for firewalls, but ftp-proxy doesn't allow me to do something such as: rdr proto tcp from 127.0.0.1 to any port ftp -> 127.0.0.1 port 8021 The solution I've used is to just open all ports from porthifirst to porthilast for outgoing connections, but I'd much rather only the needed port is opened. I know iptables solves this by reading the PORT verb and determining which port is going to be used for data transfer. Does anybody know of any solution I can use on OpenBSD which only requires the required port being opened for outgoing connections? Tom PS. Here's my pf.conf: # # --- MACROS --- # ext_if="nfe0" int_if="lo0" tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, 6667, 443, 21 }" udp_services = "{ domain }" icmp_types="echoreq" ftp_ports = "{ 40000 >< 65535 }" # # --- OPTIONS --- # set block-policy drop set loginterface $ext_if set skip on lo0 # # --- TRAFFIC NORMALIZATION --- # scrub in all # # --- TRANSLATION --- # # # --- FILTERING --- # block log all antispoof for $ext_if antispoof for $int_if pass out proto tcp to any port $tcp_services modulate state pass proto udp to any port $udp_services keep state # For outgoing pings pass out inet proto icmp all icmp-type $icmp_types keep state # For FTP pass out proto tcp to any port $ftp_ports keep state