Stephan A. Rickauer wrote: > Hello, > > in migrating our netfilter box to a pf box I need to solve one > remaining problem: Passive FTP (sigh) > > I've read "PF: Issues with FTP" carefully and tried to setup > ftp-proxy(8) on the firewall. Now it seems I have a fundamental > misunderstanding on how it should work. > > My client is 172.16.3.99 > An example FTP server is 195.135.221.132 > > Of course, I do NAT on the pf box, that routes traffic from LAN to the > Internet. The mentioned rdr rule works, so traffic on 21 is redirected > to localhost:8021 ... However, thought the initial control connection > is redirected, the subsequent ones are not. tcpdump output: > > pass in on em0: 172.16.3.99.35563 > 127.0.0.1.8021 > block in on em0: 172.16.3.99.57611 > 195.135.221.132.46778 > > Does that mean I have to open all client's outgoing ports to 'any' > just to get passive ftp running? Or do I need a second rule that > redirects subsequent things to ftp-proxy as well? > > Thanks for the help!
You need to allow outgoing ports > 1024 from your client.