On Mon, Jan 30, 2006 at 02:12:54PM -0500, Price, Joe wrote: > On the far end, the pf rules are simply pass all > > On this end the only rules that apply are: > > scrub in no-df > > nat on $ext_if from !($ext_if) -> ($ext_if:0) > > rdr on $ext_if proto tcp from any to X.X.X.X/32 port ftp -> X.X.X.X port > ftp > > > I tried using cuteftp on a windows box behind the far end, using PASV & > EPSV.. Still no luck. > > This must be possible. Below I highlight the fact that they are windows > clients connecting from behind the far end's firewall. It very well may > be that any connection from any OS from behind the far end does not > work. It does however, work when I use an OpenBSD box that is connected > directly to thee Internet..
The example uses ftp-proxy (which is neat, BTW, and has been rewritten for 3.9 too), and a pass rule which checks if the proper user is using the port. You do not seem to have that one... Joachim