Trying to configure ftp access to be able to down the bsd port collection.
# Allow acces to ftp
pass out on $if proto tcp from $if to any port { 21 , 20 }

the above does not work what am I missing

thanks

You will have to post your complete pf.conf in order to see other rules and what $if represents. Give more info to get more info! ;)

# Macros: define common values, so they can be referenced and changed easily.
ext_if="rl0"
tcp_services = "{ domain, www, https, 10000 }"
udp_services = "{ domain }"
brute_block = "{ ssh, 10000 }"

# Tables
table <sshadmins> persist file "/etc/sshallow"
table <bruteforce> persist file "/etc/brufeforce"


# Set Optimizations:
set loginterface $ext_if

set skip on lo0

# Normalization / scrubbing
scrub in all

antispoof quick for { lo0 $ext_if }

block all
block quick from <bruteforce>

pass proto udp to any port $udp_services
pass proto tcp from any to self port $tcp_services
pass in on $ext_if inet proto icmp all icmp-type 8
# Allow access to sshd.
pass in on $ext_if proto tcp from <sshadmins> to self port ssh

# Allow acces to ftp
pass out on $ext_if proto tcp from $if to any port { 21 , 20 }

# brute force blocking
pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)

shouldn't $if be $ext_if?

it looks like (i dont know pf just guessing from the syntax) your ruleset doesn't allow ftp.
there are two ways of transfer: active and passive.
for active transfers you will need to allow the ftp server to connect (active open) from server port 20.
for pasv tx you should allow the client to do an active open on an ephemeral port on the server. you can maybe add the following rule at the end to allow pasv tx:

pass out proto tcp from self to any keep state

it is already $ext_if my typing error.

pass out on $ext_if proto tcp from $ext_if to any port { 21 , 20 }

yes have been reading about active and passive ftp. but the rules i need are still problematic

I am already letting out traffic with the above rule. Why do i need to let out all traffic from any port with the below rule. is not this insecure.

pass out proto tcp from self to any keep state

Passive ftp uses two connections

ftp command channel


client: client_ip:port>1023 --> server_ip:port_21
server: server_ip:port_21 --> client_ip:port>1023

data channel

client: client_ip:port>1023 --> server_ip:port>1023
server: server_ip:port>1023 --> client_ip:port>1023

So the second rulepass out proto tcp from self to any keep state will allow the ftp command channel.

Because most people find a rule like this rather permissive (it allows for example MSN connections), a proxy is needed.

See ftp-proxy for the details.

pass out on $ext_if proto tcp from $ext_if to any port { 21 , 20 }

yes have been reading about active and passive ftp. but the rules i need are still problematic

I am already letting out traffic with the above rule. Why do i need to let out all traffic from any port with the below rule. is not this insecure.
pass out proto tcp from self to any keep state

for pasv ftp tx the above rule will allow your ftp client to establish a data connection to the ftp server on an ephemeral port (> 1023) on the server.
anyway, ftp-proxy maybe a better option.

you should use ftp proxy do this:

/etc/rc.conf
Append following line:
ftpproxy_enable="YES"

Open your /etc/pf.conf file and add following into your NAT section:
To activate it, put something like this in the NAT section of pf.conf:
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
All three rules required, even if your setup does not use NAT. Find your filtering rule and append the following rules:
anchor "ftp-proxy/*"


use this link also

http://www.cyberciti.biz/faq/freebsd-opebsd-pf-firewall-ftp-configuration/

good look!!!

No problem also you may want to check , ftpproxy_flags="" in rc.conf

you are welcome!