Hi,
I'm going to university in one week and the university explicitly says
that only one computer (including hardware routers/firewalls) may be
connected to their network; hence, I must run PF on my workstation.
I'm running default deny for both outgoing and incoming packets.
The problem is that PF cannot determine which port is going to be used
as the data port for the FTP transfer (i.e. which port has been
negotiated by my FTP client, ftp, and the servers FTP server).
I know ftp-proxy is used usually for firewalls, but ftp-proxy doesn't
allow me to do something such as:
rdr proto tcp from 127.0.0.1 to any port ftp -> 127.0.0.1 port 8021
The solution I've used is to just open all ports from porthifirst to
porthilast for outgoing connections, but I'd much rather only the
needed port is opened.
I know iptables solves this by reading the PORT verb and determining
which port is going to be used for data transfer.
Does anybody know of any solution I can use on OpenBSD which only
requires the required port being opened for outgoing connections?
Tom
PS. Here's my pf.conf:
#
# --- MACROS ---
#
ext_if="nfe0"
int_if="lo0"
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, 6667, 443,
21 }"
udp_services = "{ domain }"
icmp_types="echoreq"
ftp_ports = "{ 40000 >< 65535 }"
#
# --- OPTIONS ---
#
set block-policy drop
set loginterface $ext_if
set skip on lo0
#
# --- TRAFFIC NORMALIZATION ---
#
scrub in all
#
# --- TRANSLATION ---
#
#
# --- FILTERING ---
#
block log all
antispoof for $ext_if
antispoof for $int_if
pass out proto tcp to any port $tcp_services modulate state
pass proto udp to any port $udp_services keep state
# For outgoing pings
pass out inet proto icmp all icmp-type $icmp_types keep state
# For FTP
pass out proto tcp to any port $ftp_ports keep state
