gotian
07-22-2008, 10:43 AM
Hello,
I have two problems connected with PF on FreeBSD 7.0.
1) I can't connect to ftp servers on router(FreeBSD), but NAT users can. Here is my pf.conf
ext_if="nfe0"
int_if="dc0"
int_net="192.168.6.0/24"
table <firewall> const { self }
set skip on lo
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $int_net to any port 21 -> 127.0.0.1 port 8021
nat on $ext_if from $int_net to any -> $ext_if
block drop in all
pass in on $int_if from $int_net to any
block out all
anchor "ftp-proxy/*"
pass in proto tcp to <firewall> port { ssh } modulate state
pass in on $int_if proto icmp from $int_net to <firewall> keep state
pass out on $int_if all modulate state
pass out on $ext_if proto { tcp udp } from any to any port { 53 21 20 } modulate state
pass out on $ext_if proto icmp from any to any keep state
ftp session on router:
[root@freebsd ~]# ftp ftp.freebsd.org
Trying 204.152.184.73...
Connected to ftp.freebsd.org.
220 Welcome to freebsd.isc.org.
Name (ftp.freebsd.org:ftp): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||43044|)
500 Illegal EPRT command.
500 Illegal PORT command.
425 Use PORT or PASV first.
If I put rule: pass out all then everything is OK. But I want to have out traffic default block.
2) I have in NAT 100 computers and I want to give this same bandwidth for each, and I don't want to create 100 rules :). In linux is SFQ or WFQ that can do so. Is anything on FreeBSD that is similar??
Thanks for help
I have two problems connected with PF on FreeBSD 7.0.
1) I can't connect to ftp servers on router(FreeBSD), but NAT users can. Here is my pf.conf
ext_if="nfe0"
int_if="dc0"
int_net="192.168.6.0/24"
table <firewall> const { self }
set skip on lo
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $int_net to any port 21 -> 127.0.0.1 port 8021
nat on $ext_if from $int_net to any -> $ext_if
block drop in all
pass in on $int_if from $int_net to any
block out all
anchor "ftp-proxy/*"
pass in proto tcp to <firewall> port { ssh } modulate state
pass in on $int_if proto icmp from $int_net to <firewall> keep state
pass out on $int_if all modulate state
pass out on $ext_if proto { tcp udp } from any to any port { 53 21 20 } modulate state
pass out on $ext_if proto icmp from any to any keep state
ftp session on router:
[root@freebsd ~]# ftp ftp.freebsd.org
Trying 204.152.184.73...
Connected to ftp.freebsd.org.
220 Welcome to freebsd.isc.org.
Name (ftp.freebsd.org:ftp): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||43044|)
500 Illegal EPRT command.
500 Illegal PORT command.
425 Use PORT or PASV first.
If I put rule: pass out all then everything is OK. But I want to have out traffic default block.
2) I have in NAT 100 computers and I want to give this same bandwidth for each, and I don't want to create 100 rules :). In linux is SFQ or WFQ that can do so. Is anything on FreeBSD that is similar??
Thanks for help