local ftp client with egress filtering

[xiphias]

I have a machine running 8.2-REL configured as my router.

I'm doing egress filtering and have restricted what ports outbound connections can be made to. For machines on the lan I'm using ftp-proxy to allow ftp connections. What is the best way to permit the router itself to make ftp connections?

udp_egress = "53 123 1194"
tcp_egress = "21 53 80 443 8080"

pass out on $wan0 inet proto tcp from ($wan0) to !<priv_nets> port {$tcp_egress}
pass out on $wan0 inet proto udp from ($wan0) to !<priv_nets> port {$udp_egress}
pass out on $wan0 inet proto icmp from ($wan0)
pass out on $wan0 tagged NAT

So, I can currently make control connections (to port 21), but data connections will be blocked.

Thanks.

 

[xiphias]

Hmm, does the lack of response mean everyone is enjoying Christmas (as they should) or there isn't a decent solution.

Given that I only need to ftp out from the router when updating the kernel/world and ports of the host or the jails I have decided that temporarily adding a rule is best. However, editing pf.conf and reloading the entire ruleset is far too cumbersome for my liking. So I added an anchor:

anchor temp out on $wan0 proto tcp

And before I do maintenance:

$ echo "pass" | sudo pfctl -a temp -f -

Finally, to remove the rule:

$ sudo pfctl -a temp -F rules

 

[kpa]

If you know the destination addresses or networks used when doing the updates you could make an exception to egress filtering for those addresses using a table.