PF firewall rules help

Question

I'm having a heck of a time creating a pf ruleset for FTP.

What I'm trying to do is :

Only allow $WHITELIST to connect to FTP port 21

Open ports 49152 - 65535 for Passive port range

Can anyone help me with this?

I have tried :

FTPWHITELIST="localhost, XX.XX.XX.XX"

pass in quick on $EXT_IF proto tcp from { $FTPWHITELIST } to XX.XX.XX.XX port 21 keep state

pass in quick on $EXT_IF proto tcp from { $FTPWHITELIST } to XX.XX.XX.XX port 49512 >< 65535 keep state

Do you have a default deny rule? Also, the default now is to keep state. How are you testing? — Rob Olmos, Nov 29 '10 at 04:26
I do not have any default deny rule - I'm testing the rules on my home computer before throwing it on the production server. The only rule I have in PF is a port redirect for the postfix mail system. — Brian Smith, Nov 29 '10 at 21:14

score 0 · Answer 1 · answered Nov 29 '10 at 01:58

0

Have you tried what's mentioned in the FAQ:

http://www.openbsd.org/faq/pf/ftp.html

FTP is a fairly convoluted algorithm that's evolved over the decades (it was created in 1971), and firewalls (and even TCP/IP) weren't invented yet, so getting it to work can be troublesome.

Try to make sure you use "passive" mode on your client/s.

If possible, try to use HTTP/S or SFTP (SSH FTP) if possible. They're both much cleaner, modern designs.

answered Nov 29 '10 at 01:58

DAM

1

Ok, FTP is working fine - how do I make it so only certain IP's are allowed to access the FTP port? – Brian Smith Nov 29 '10 at 02:17

score 0 · Answer 2 · answered Jan 05 '19 at 09:45

To allow $FTPWHITELIST only, you need to block all other traffic before:

# WARNING! DO NOT use this snippet on production until you completely understand it
block in on $EXT_IF
pass in quick on $EXT_IF proto tcp from { $FTPWHITELIST } to XXX port 21 keep state
...

PF firewall rules help

2 Answers2