S. Scott Sima, CISA, CISM wrote:
> Using openbsd 4.2, pf and ftp-proxy.
>
> ftp-proxy -T <tag> is not being recognized by pf.conf ruleset. In the
> NOT WORKING (snip) below, the tcpdump shows the ftp-proxied packets
> being ignored by the tagged pass rule and hitting on the final block all
> rule.
>
> ftp-proxy invoked as
> /usr/sbin/ftp-proxy -TOKFTP
>
> pf.conf
>
> WORKING using "user"
> (snip)
> rdr log on inside inet proto tcp \
> from (inside:network) to any port {ftp} -> 127.0.0.1 port 8021
> # -----
> pass out quick log on outside inet proto tcp \
> user proxy modulate state queue( qlow, qhi)
> # -----
> block drop log all
> # ----- EOF pf.conf
> (snip)
>
> NOT WORKING using tagged (snip)
> rdr log on inside inet proto tcp \
> from (inside:network) to any port {ftp} -> 127.0.0.1 port 8021
> # -----
> pass out quick log on outside inet proto tcp \
> tagged OKFTP modulate state queue( qlow, qhi)
> # -----
> block drop log all
> # ----- EOF pf.conf
> (snip)
I don't see the anchors, you need those with tagging too. Other then
that, it may still not work as expected, see:
http://marc.info/?l=openbsd-misc&m=119729395125104&w=2
