Comments on: BSD FTP-Proxy: PF Firewall Allow Outgoing Active / Passive FTP Connections

By: Hasse

Hasse — Sat, 07 Jan 2012 19:07:36 +0000

Thanks
As usual, it’s a pleasure following your tutorials. They simply works.

By: Ben Francom

Ben Francom — Thu, 25 Nov 2010 12:29:24 +0000

Thanks for the great article, and explanation. The comments are also very informative. It helped me recently with an instance of PF, FreeBSD and FTP.

By: stiv

stiv — Wed, 31 Mar 2010 10:09:06 +0000

Thank you for good article.
But if I use the rule
# keep stats of outging connections
pass out keep state
I don’t need any other rules such as
# Allow outgoing via ssh, smtp, domain, www, https, whois etc
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services

By: Vivek Gite

Vivek Gite — Mon, 09 Nov 2009 05:43:47 +0000

@ Colin

Thanks for the heads up!

By: Colin

Colin — Sun, 08 Nov 2009 20:26:30 +0000

Hi Vivek,

I think there is an error here:

# pfctl -nf /etc/rc.conf
# pfctl -f /etc/rc.conf

Should be this:
# pfctl -nf /etc/pf.conf
# pfctl -f /etc/pf.conf

In any case, thanks for a useful page and a very useful site. I keep coming back.

-Colin

By: SIFE

SIFE — Mon, 28 Sep 2009 12:54:25 +0000

Salamo Alikom
@Vivek Gite
this rules you had sets it fix my problem , thx.

By: John

John — Tue, 11 Aug 2009 10:26:42 +0000

@Vivek
Thanks, that would make sense. Unfortunately it also means that my block out rule is essentially rendered useless. A few people here use personal laptops with the BBC iPlayer installed which can eat bandwidth. By only allowing out required traffic, it makes life a lot easier.
Any chance I can keep my cake and eat it :-)

By: Vivek Gite

Vivek Gite — Tue, 11 Aug 2009 10:11:00 +0000

@John,

Try:

pass out on $ext_if inet proto tcp from any to any port ftp
pass out on $ext_if inet proto tcp from any to any port >1023

By: John

John — Tue, 11 Aug 2009 09:57:26 +0000

I’ve got ftp-proxy working on my firewall for all the clients behind it. However I can’t ftp (using Active or Passive) from the actual firewall itself, which is making installing/upgrading ports tedious.

For example:
#pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/ifstated.tbz
Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/ifstated.tbz: Operation not permitted
pkg_add: unable to fetch ‘ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/ifstated.tbz‘ by URL

I’m guessing that this is because no redirection is being done as the request is being sent straight out the default route interface (I verified this by pausing the pkg_add command, and executing netstat -f inet | grep ftp).
Any suggestions as to how I can get around this. Surely this is something that others have encountered.

By: John Dakos

John Dakos — Fri, 17 Jul 2009 13:06:38 +0000

Good Job Man :) This Tutorial Help Me To Understand Ftp-Proxy and RDR. Thanks