I've spent the last couple of days trying to fix this issue and have decided to give up looking and ask for help.
I'm using the pf firewall with the following config (scraped together from a few forums):
/etc/pf.conf
I have also tried the following configuration from the Book of PF:
I just can't seem to get ftp to work in either passive or active mode.
Active fails almost instantly, passive shows the following:
/etc/rc.conf:
Before anyone asks, yes it works when PF is disabled.
I'm very new to FreeBSD and have only written firewall rules using UFW in Linux so the chances are I'll have done something stupid.
Any help is much appreciated.
I'm using the pf firewall with the following config (scraped together from a few forums):
/etc/pf.conf
Code:
# Pf Firewall Rules
# Set external Interface
ext_if="sis0"
#Proxy Ports
proxy="127.0.0.1"
proxyport="8021"
#Macros
tcp_out_services = "{ ssh, smtp, domain, www, pop3, auth, https, imap, ntp, 3000, ftp, 5999, 2401, 3690 }"
udp_out_services = "{ domain, ntp, ftp }"
tcp_in_services = "{ ssh, 3000 }"
udp_in_services = "{ }"
#Tables
table <fail2ban> persist
#NAT and RDR start
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Redirect FTP to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
#Block By Default
block all
# FTP anchor
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port 21 divert-to 127.0.0.1 port 8021
#Fail2Ban
block in quick on $ext_if from <fail2ban>
# Pass out Selected Macros
pass out proto tcp to port $tcp_out_services
pass proto udp to port $udp_out_services
pass in proto tcp to port $tcp_in_services
I have also tried the following configuration from the Book of PF:
Code:
# cat /etc/pf.conf
# Pf Firewall Rules
# Set external Interface
ext_if="sis0"
#Proxy Ports
proxy="127.0.0.1"
proxyport="8021"
#Macros
tcp_out_services = "{ ssh, smtp, domain, www, pop3, auth, https, imap, ntp, 3000, ftp, 5999, 2401, 3690 }"
udp_out_services = "{ domain, ntp, ftp }"
tcp_in_services = "{ ssh, 3000 }"
udp_in_services = "{ }"
#Tables
table <fail2ban> persist
#NAT and RDR start
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $ext_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
#Handle ICMP - Ping
#icmp_types = "{ echoreq, unreach }"
#Block By Default
block all
# FTP anchor
anchor "ftp-proxy/*"
# Redirect FTP to proxy
pass out proto tcp from $proxy to any port ftp
#Fail2Ban
block in quick on $ext_if from <fail2ban>
# Pass out Selected Macros
pass out proto tcp to port $tcp_out_services
pass proto udp to port $udp_out_services
pass in proto tcp to port $tcp_in_services
pass out proto tcp from $proxy to any port ftp
# Pass out ICMP properly
#pass out proto icmp-type $icmp_types
I just can't seem to get ftp to work in either passive or active mode.
Active fails almost instantly, passive shows the following:
Code:
# pkg_add -rv xmonad
scheme: [ftp]
user: []
password: []
host: [ftp.freebsd.org]
port: [0]
document: [/pub/FreeBSD/ports/i386/packages-9.0-release/Latest/xmonad.tbz]
---> ftp.freebsd.org:21
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
<<< 220 Welcome to freebsd.isc.org.
>>> USER anonymous
<<< 331 Please specify the password.
>>> PASS llawwehttam@zippo.localhost
<<< 230 Login successful.
>>> PWD
<<< 257 "/"
>>> CWD pub/FreeBSD/ports/i386/packages-9.0-release/Latest
<<< 250 Directory successfully changed.
>>> MODE S
<<< 200 Mode set to S.
>>> TYPE I
<<< 200 Switching to Binary mode.
setting passive mode
>>> PASV
<<< 227 Entering Passive Mode (204,152,184,73,247,217).
opening data connection
Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-9.0-release/Latest/xmonad.tbz: Operation not permitted
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-9.0-release/Latest/xmonad.tbz' by URL
pkg_add: 1 package addition(s) failed
/etc/rc.conf:
Code:
# cat /etc/rc.conf
hostname="zippo.localhost"
keymap="uk.iso.kbd"
ifconfig_sis0="DHCP" # Router using Mac address allocation
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
ftpproxy_enable="YES"
ftpproxy_flags=""
fail2ban_enable="YES"
Before anyone asks, yes it works when PF is disabled.
I'm very new to FreeBSD and have only written firewall rules using UFW in Linux so the chances are I'll have done something stupid.
Any help is much appreciated.