Hello, Take a look at :
http://www.openbsd.org/faq/pf/ftp.html Maybe it can help ! On Thu, Oct 1, 2009 at 3:52 PM, AG <computing.acco...@googlemail.com> wrote: > Hello > > I want to download via ftp, but am unable to do so. I believe that it > would have something to do with my pf.conf file in my firewall, so have > listed that below. > > ########### simple pf.conf ################## > # allow all outgoing TCP, UDP > # allow outgoing ICMP ping > # specifically block 11 common inet services > # Modified for nntp and bittorrent > ############################################# > > > # MACRO > ext_if = "rl0" > int_if = "vr0" > PING = "echoreq" > allow_tcp = "{ 119 }" #Port needed for nntp server > > #IntNet = "192.168.1.0/24" #Sub-net range > #InBitTCP = "{ 6969, 6881:6889 }" #Ports needed for BitTorrent > #BitIP = "192.168.1.40" #BitTorrent client > > tcp_services = "{ smtp, pop3, pop3s, www, msa, https, ftp, whois, ssh, > telnet, rsync }" > udp_services = "{ domain }" > > > # OPTIONS: > set block-policy drop > set optimization normal > set loginterface $ext_if > > # SCRUB: > scrub in on $ext_if all > > # NAT/RDR > nat on $ext_if from $int_if:network to any -> $ext_if > > #nat on $ext_if proto tcp from $IntNet port $InBitTCP to any -> $ext_if \ > static-port #nat on $ext_if proto udp from $IntNet port $InBitTCP to any -> > $ext_if \ > static-port > #rdr on $ext_if proto tcp from !$IntNet to any port 6969 -> $BitIP port > 6969 > #rdr on $ext_if proto udp from !$IntNet to any port 6881:6889 -> $BitIP \ > port 6881:6889 > > # filter: > > block log on $ext_if all > > #pass in quick on $ext_if inet proto tcp from any to any port $InBitTCP \ > flags S/SA synproxy state > #pass in quick on $ext_if inet proto udp from any to any port $InBitTCP > > #pass out on $int_if inet proto tcp from any to $IntNet port > $port_bittorrent \ > flags S/SA synproxy state > #pass out on $int_if inet proto udp from any to $IntNet port > $port_bittorrent > > pass quick on lo0 all > > pass out on $ext_if proto tcp from any to any port $allow_tcp keep state > > pass out quick on $ext_if inet proto tcp from \ > { $ext_if:network, $int_if:network } to any port $tcp_services keep state > > pass out quick on $ext_if inet proto udp from \ > { $ext_if:network, $int_if:network } to any port $udp_services keep state > > pass out quick on $ext_if inet proto icmp from \ > { $ext_if:network, $int_if:network } to any icmp-type $PING keep state > > antispoof for $ext_if > antispoof for $int_if > > #### /etc/pf.conf ends ###################### > > It has been a number of years since I set this up, and note that I have ftp > listed as a protocol to not allow. How can I change this without > compromising security please? > > Many TIA. > > AG
