The "user" and "group" features of pf are useful for this.
See also: http://marc.theaimsgroup.com/?l=openbsd-misc&m=115202430208726&w=2 On Thu, 21 Sep 2006, Tom Fitzhenry wrote: > Hi, > > I'm going to university in one week and the university explicitly says > that only one computer (including hardware routers/firewalls) may be > connected to their network; hence, I must run PF on my workstation. > > I'm running default deny for both outgoing and incoming packets. > > The problem is that PF cannot determine which port is going to be used > as the data port for the FTP transfer (i.e. which port has been > negotiated by my FTP client, ftp, and the servers FTP server). > > I know ftp-proxy is used usually for firewalls, but ftp-proxy doesn't > allow me to do something such as: > rdr proto tcp from 127.0.0.1 to any port ftp -> 127.0.0.1 port 8021 > > The solution I've used is to just open all ports from porthifirst to > porthilast for outgoing connections, but I'd much rather only the > needed port is opened. > > I know iptables solves this by reading the PORT verb and determining > which port is going to be used for data transfer. > > Does anybody know of any solution I can use on OpenBSD which only > requires the required port being opened for outgoing connections? > > Tom > > PS. Here's my pf.conf: > # > # --- MACROS --- > # > ext_if="nfe0" > int_if="lo0" > tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, 6667, 443, > 21 }" > udp_services = "{ domain }" > icmp_types="echoreq" > ftp_ports = "{ 40000 >< 65535 }" > > # > # --- OPTIONS --- > # > set block-policy drop > set loginterface $ext_if > set skip on lo0 > > # > # --- TRAFFIC NORMALIZATION --- > # > scrub in all > > # > # --- TRANSLATION --- > # > > # > # --- FILTERING --- > # > block log all > > antispoof for $ext_if > antispoof for $int_if > > pass out proto tcp to any port $tcp_services modulate state > pass proto udp to any port $udp_services keep state > > # For outgoing pings > pass out inet proto icmp all icmp-type $icmp_types keep state > > # For FTP > pass out proto tcp to any port $ftp_ports keep state
