I have run across the same problem. The issue here is that that a client must connect to a port greater than 1023 from a port greater than 1023 (at least that is my current experience) and that the only way for this to work is for you to allow any system inside your LAN to connect to any port > 1023 outside your LAN - and allow the reply traffic into your system.
The FTP proxy still handles the initial connection, but since the second connection comes from a random port on the client PC to a random port on the server - I don't believe there is any way to both allow Passive FTP and block all but certain traffic - if that traffic communicates using ports greater than 1023. A good for instance is trying to stop things like VNC. With default deny and only allowing particular ports we are able to stop things like outgoing VNC - except to PC's we want to allow it to - without having to create specific block rules. In order to allow Passive FTP (wasn't Passive FTP supposed to be "firewall friendly" - :) we have to open up access to all ports over 1023 for all clients that might use it. So in the end we have create a block quick rule to prevent specifically the ports over 1023 that we do not wish to allow (such as 5900 - VNC) - in essence except for the low ports < 1023 - creating a pass all rule. This - of course is not a problem with PF - but with the passive FTP specification. I don't know if there is another way around this other than only allowing Active FTP (kind of ironic) behind the firewall and thereby allowing the ftp-proxy to handle the connections. Not really an answer on how to solve it - but hope it helps answer the question. If anyone else has additional insight...... - Brian Shackelford -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephan A. Rickauer Sent: Monday, September 19, 2005 7:53 AM Cc: misc Subject: Re: ftp-proxy(8) and pf question Matt Rowley wrote: > You have the rdr sending outbound 21 to the ftp-proxy service, but you > also need to let traffic back in to the service: As far as I know, this only applies to _active_ ftp, about which I am not concerned at the moment. Thanks anyway. -- Stephan A. Rickauer ---------------------------- Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch ----------------------------
