问：Ive基于FreeBSD的Apache Web服务器。我需要允许传出的ftp客户端请求，以便可以从各种ftp站点下载BSD端口集合。如何操作系统下通过PF网络防火墙软件允许传出FTP连接？答：您

问题

FreeBSD 如何设置PF防火墙允许FTP连接？
在FreeBSD或OpenBSD中，防火墙如何开放FTP端口？

解决方案

需要使用ftp-proxy，它是Internet文件传输协议的代理。默认情况下，ftp-proxy和PF防火墙一起安装。

在FreeBSD下开启ftp-proxy

编辑/etc/rc.conf文件

# vi /etc/rc.conf

添加以下行：

ftpproxy_enable="YES"

如果您使用的是OpenBSD，执行以下命令以在引导时启动ftp-proxy：

echo 'ftpproxy_flags=""' >>/etc/rc.conf.local

默认情况下，ftp代理侦听绑定到127.0.0.1 IP地址上，端口号为8021。

配置pf防火墙和ftp-proxy

编辑/etc/pf.conf文件，

在NAT部分中添加以下内容：

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

即使您的设置未使用NAT，也必须满足所有这三个规则。

在防火墙过滤规则中添加下面的规则：

anchor "ftp-proxy/*"

pf.conf防火墙规则设置示例

下面的防火墙配置文件/etc/pf.conf中，允许ftp以及ssh，http，dns服务通过。

#### First declare a couple of variables ####
# outgoing services
tcp_services = "{ ssh, smtp, domain, www, https, ntp, 43}"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 
ext_if = "em1" # Internet
int_if = "em0" # vpn / lan
 
proxy="127.0.0.1" # ftp proxy IP
proxyport="8021" # ftp proxy port
 
#### Normalization
scrub in all
 
#### NAT and RDR start
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
 
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
 
#### Start filtering 
# Drop incoming everything
block in all
 
# Default connection refused message to client 
block return  
 
# keep stats of outging connections
pass out keep state
 
# 我们需要有一个ftp代理锚
anchor "ftp-proxy/*"
 
# Unlimited traffic for lo0 and VPN/Lan interface
set skip on {lo0, $int_if}
 
# activate spoofing protection for all interfaces
block in quick from urpf-failed
 
# Antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if
 
#Block RFC 1918 addresses
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
 
 
# Allow outgoing via ssh, smtp, domain, www, https, whois etc
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
 
# Allow outgoing Trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
 
# Allow incomming named udp / tcp 53
pass in on $ext_if proto udp from any to any port 53
# All tcp service protected using synproxy
pass in on $ext_if proto tcp from any to any port 53 flags S/SA synproxy state
# Allow http traffic
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy modulate state
# SSH 
pass in on $ext_if proto tcp from any to any port 22 flags S/SA synproxy modulate state
# Allow ICMP ping
pass inet proto icmp all icmp-type $icmp_types keep state

重启PF防火墙

在FreeBSD下执行以下命令：

# /etc/rc.d/pf restart

在OpenBSD下执行以下命令，(在FreeBSD下也可以使用)：

# pfctl -nf /etc/pf.conf
# pfctl -f /etc/pf.conf

启动ftp-proxy

执行以下命令以在FreeBSD下启动ftp-proxy：

# /etc/rc.d/ftp-proxy start

在OpenBSD下，您只需执行以下内容即可启动ftp-proxy：

# /usr/sbin/ftp-proxy

测试

使用ftp客户端测试我们刚才的配置：

$ ftp ftp.freebsd.org