|
|
Sponsored Content
Special Forums
IP Networking
Question about pf firewall
Post 302238552 by sporky on Saturday 20th of September 2008 03:57:54 PM
09-20-2008
|
|
9 More Discussions You Might Find Interesting
1. Cybersecurity
Just out of curiosity, I see a lot of people here use Linux IPTables as their firewall.
Anyone here use something else like OpenBSD PF or *BSD IPF, IPFW?
I'm quite fond of OpenBSD and their Packet Filters. I find their syntax much easier to manage and from my personal experience, I find them... (5 Replies)
Discussion started by: tarballed
5 Replies
2. Cybersecurity
Would it be possible to restrict access to internet pages in the following way?
A machine:
IP = 128.1.17.123
Only pages from domains of the type "go.jp" and "ne.jp" are viewable. All others are not viewable or only partly viewable.
B machine:
IP = 128.1.17.146
Regardless of the domain... (4 Replies)
Discussion started by: mntamago
4 Replies
3. Cybersecurity
Ive been reading for the last week every piece of information on PF that i can find. I am in the process of building a FreeBSD 7.0 Router/Gateway and have been a little stumped by allot of the tutorials/examples out there. Most that I read say that you should always block all! But then I see a... (3 Replies)
Discussion started by: neurosis
3 Replies
4. Cybersecurity
hi everyone
I am a newbee to firewall scripting. cannot understand how to write rules per host. in ip6tables.
anyone plz:( (2 Replies)
Discussion started by: xecutioner
2 Replies
5. AIX
:b:Hi,,
How do configure firewall in aix.. similar to linux iptable.
Rgards,
k.sumathi. (3 Replies)
Discussion started by: sumathi.k
3 Replies
6. Cybersecurity
Hi,
I really do not know how to describe this problem; but, I think it's a firewall
issue. My Distro is Slackware 12.0 (somewhat updated).
My company firewall uses Netfilter and the e-mail server uses Sendmail.
Let's say the firewall's Ext IP = A and Internal DMZ IP = B.
The firewall's... (0 Replies)
Discussion started by: cc_ew
0 Replies
7. SuSE
Is there a command line interface to the firewall? (4 Replies)
Discussion started by: jgt
4 Replies
8. Linux
Dear All
I have put my windows machine behind my centos firewall server with just one NIC. At now, the windows machine can ping 192.9.9.3 but cannot resolve valid url (like www.google.com). I have set DNS for it as well. Can you please let me know what is the missing step?
Thank you (6 Replies)
Discussion started by: hadimotamedi
6 Replies
9. Cybersecurity
Hey Guys,
I am looking for a good firewall software to implement in medium/large office, with at least 150 users.
I was hopping you guys could help me on this one.
Regards, (4 Replies)
Discussion started by: andrevicente
4 Replies
LEARN ABOUT NETBSD
ftp-proxy
FTP-PROXY(8) BSD System Manager's Manual FTP-PROXY(8) NAME
ftp-proxy -- Internet File Transfer Protocol proxy daemon SYNOPSIS
ftp-proxy [-6Adrv] [-a address] [-b address] [-D level] [-i netif] [-m maxsessions] [-P port] [-p port] [-q queue] [-R address] [-T tag] [-t timeout] DESCRIPTION
ftp-proxy is a proxy for the Internet File Transfer Protocol. FTP control connections should be redirected into the proxy using the ipnat(4) or pf(4) rdr command, after which the proxy connects to the server on behalf of the client. The proxy allows data connections to pass, rewriting and redirecting them so that the right addresses are used. All connections from the client to the server have their source address rewritten so they appear to come from the proxy. Consequently, all connections from the server to the proxy have their destination address rewritten, so they are redirected to the client. The proxy uses the pf(4) anchor facility for this, unless the option -i is specified, it will then use the ipnat(4) interface. Assuming the FTP control connection is from $client to $server, the proxy connected to the server using the $proxy source address, and $port is negotiated, then ftp-proxy adds the following rules to the various anchors. (These example rules use inet, but the proxy also supports inet6.) In case of active mode (PORT or EPRT): rdr from $server to $proxy port $port -> $client pass quick inet proto tcp from $server to $client port $port In case of passive mode (PASV or EPSV): nat from $client to $server port $port -> $proxy pass in quick inet proto tcp from $client to $server port $port pass out quick inet proto tcp from $proxy to $server port $port The options are as follows: -6 IPv6 mode. The proxy will expect and use IPv6 addresses for all communication. Only the extended FTP modes EPSV and EPRT are allowed with IPv6. The proxy is in IPv4 mode by default. -A Only permit anonymous FTP connections. Either user "ftp" or user "anonymous" is allowed. -a address The proxy will use this as the source address for the control connection to a server. -b address Address where the proxy will listen for redirected control connections. The default is 127.0.0.1, or ::1 in IPv6 mode. -D level Debug level, ranging from 0 to 7. Higher is more verbose. The default is 5. (These levels correspond to the syslog(3) levels.) -d Do not daemonize. The process will stay in the foreground, logging to standard error. -i netif Set ftp-proxy for use with IP-Filter. The argument netif should be set to the name of the network interface where rdr is applied on. -m maxsessions Maximum number of concurrent FTP sessions. When the proxy reaches this limit, new connections are denied. The default is 100 ses- sions. The limit can be lowered to a minimum of 1, or raised to a maximum of 500. -P port Fixed server port. Only used in combination with -R. The default is port 21. -p port Port where the proxy will listen for redirected connections. The default is port 8021. -q queue Create rules with queue queue appended, so that data connections can be queued. -R address Fixed server address, also known as reverse mode. The proxy will always connect to the same server, regardless of where the client wanted to connect to (before it was redirected). Use this option to proxy for a server behind NAT, or to forward all connections to another proxy. -r Rewrite sourceport to 20 in active mode to suit ancient clients that insist on this RFC property. -T tag Automatically tag packets passing through the pf(4) rule with the name supplied. -t timeout Number of seconds that the control connection can be idle, before the proxy will disconnect. The maximum is 86400 seconds, which is also the default. Do not set this too low, because the control connection is usually idle when large data transfers are taking place. -v Set the 'log' flag on pf rules committed by ftp-proxy. Use twice to set the 'log-all' flag. The pf rules do not log by default. CONFIGURATION
To make use of the proxy using pf(4), pf.conf(5) needs the following rules. All anchors are mandatory. Adjust the rules as needed. In the NAT section: nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from $lan to any port 21 -> 127.0.0.1 port 8021 In the rule section: anchor "ftp-proxy/*" pass out proto tcp from $proxy to any port 21 To make use of the proxy using ipnat(4), ipnat.conf(5) need the following rule: rdr $int_if any port 21 -> 127.0.0.1 port 8021 tcp SEE ALSO
ftp(1), ipnat(4), pf(4), ipnat.conf(5), pf.conf(5) CAVEATS
ipnat(4) and pf(4) does not allow the ruleset to be modified if the system is running at a securelevel higher than 1. At that level ftp-proxy cannot add rules to the anchors and FTP data connections may get blocked. Negotiated data connection ports below 1024 are not allowed. The negotiated IP address for active modes is ignored for security reasons. This makes third party file transfers impossible. ftp-proxy chroots to "/var/chroot/ftp-proxy" and changes to user "_proxy" to drop privileges. BSD
August 1, 2007 BSD