take a look at : http://mouedine.net/ruleset47.aspx
On Thu, 4 Nov 2010 22:27:21 -0700, onteria <onte...@scarletdevil.net> wrote: > I'm currently working on locking down one of my machines with pf. > Right now it has a default deny policy and FTP is causing issues. I did > a search on how to around FTP oddities using ftp-proxy, but from what I > understand this requires an internal interface to work, which this > system doesn't have since it's behind a netgear router. > > Is there something like ftp-proxy for external interface only setups > that uses anchors to rewrite rules on the fly? > > Another option I thought of is making a wrapper script around ftp or > whatever the command line client was that would take in the hostname as > the first argument, and the rest of the arguments would be passed to > whatever the client was. The first call to the script would use pfctl to > add the server to a table, which would then have a lenient ruleset for > any FTP server in that table. Once the command is done running, pfctl > would remove that server from the table. I'm wondering if this would be > a good idea. > > PS: Yes, I plan to setup an OpenBSD router at some point so this > doesn't become an issue. Unfortunately I'm saving up for something at > the moment, so even a cheap router off Ebay is out of the question right > now :) > > - Onteria
