# local ftp client with egress filtering



## xiphias (Dec 27, 2011)

I have a machine running 8.2-REL configured as my router.

I'm doing egress filtering and have restricted what ports outbound connections can be made to. For machines on the lan I'm using ftp-proxy to allow ftp connections. What is the best way to permit the router itself to make ftp connections?


```
udp_egress = "53 123 1194"
tcp_egress = "21 53 80 443 8080"

pass out on $wan0 inet proto tcp from ($wan0) to !<priv_nets> port {$tcp_egress}
pass out on $wan0 inet proto udp from ($wan0) to !<priv_nets> port {$udp_egress}
pass out on $wan0 inet proto icmp from ($wan0)
pass out on $wan0 tagged NAT
```

So, I can currently make control connections (to port 21), but data connections will be blocked.

Thanks.


----------



## xiphias (Dec 30, 2011)

Hmm, does the lack of response mean everyone is enjoying Christmas (as they should) or there isn't a decent solution.

Given that I only need to ftp out from the router when updating the kernel/world and ports of the host or the jails I have decided that temporarily adding a rule is best. However,  editing pf.conf and reloading the entire ruleset is far too cumbersome for my liking. So I added an anchor:


```
anchor temp out on $wan0 proto tcp
```

And before I do maintenance:


```
$ echo "pass" | sudo pfctl -a temp -f -
```

Finally, to remove the rule:


```
$ sudo pfctl -a temp -F rules
```


----------



## kpa (Dec 30, 2011)

If you know the destination addresses or networks used when doing the updates you could make an exception to egress filtering for those addresses using a table.


----------

