Read man pf.conf and ftp-proxy # for proxying with ftp-proxy(8) running on port 8021. rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
pass in on $ext_if inet proto tcp from any to $ext_if \ user proxy keep state Ofcourse you have to enable ftp-proxy in inetd: 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy You WONT need: # FTP Proxy Inbound pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) \ user proxy flags S/SA keep state Good luck. Nils -----Original Message----- From: Hutger H. [mailto:[EMAIL PROTECTED] Sent: vrijdag 24 maart 2006 14:38 To: misc@openbsd.org Subject: FTP Issues Hi all, I've got a problem running ftp through my PF firewall. That is the issue: - I installed a new firewall (OpenBSD 3.9) in my network to connect some users to the Internet through a new link. The users need to connect via FTP to a server located externally (Internet), so the connections must to pass by the PF firewall. - The firewall is working fine, except when some of the users try to establish a FTP connection to the outside. As soon as they connect and try to list the directories, after a long wait, they get disconnected. My firewall rules are showed at the end of the message. - Analysing the firewall's traffic, I could notice that the problem happens when the FTP server try to make a new connection back to the client using I high port. I got some tutorials explaining how to solve this problem using ftp-proxy and some PF rules/rdr, but none of the them seem to work for me. Does anyone here has an idea *how I can solve this question? *Ps: Sorry if the question is basic ... I consider myself a PF newbie since a I've worked until now only with Linux based firewalls. Thanks in advance, Hutger. ------------------------------------------------------- #--- Rules begin here ext_if="pcn0" int_if="pcn1" ext_ip="172.21.28.20/32" int_ip="192.168.1.254/32" int_net="192.168.1.0/24" set skip on lo set state-policy if-bound scrub in all nat on $ext_if from $int_net -> $ext_ip rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 block in all block out all antispoof log quick for {$ext_if,$dmz_if,$int_if} inet # Permitindo acesso ao firewall pass in quick on $ext_if inet proto tcp from any to $ext_ip port ssh keep state flags S/SA # Acessos a partir da rede local p/ Internet pass in quick on $int_if inet proto tcp from $int_net to any modulate state pass in quick on $int_if inet proto {udp,icmp} from $int_net to any keep state # Permitindo a saida de pacotes nas interfaces pass out quick on {$ext_if,$int_if} inet proto {tcp,udp,icmp} all keep state # FTP Proxy Inbound pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) \ user proxy flags S/SA keep state #--- Rules end here ================================================================================================= A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.