Hi, i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN and 1 DMZ I use ftp-proxy to allow ftp client connexions from my LAN and it works well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they have all one different public IP. So, i use binat rules to nat them easily and it works fine too. But i need to allow these servers on DMZ to make FTP client connexions to external servers too. So I have put a rdr rule like the one i did for my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't work, i can only connect to external FTP servers from my DMZ servers if disable the binat rule associated with the server which try to connect.
My question is, is there a mean to do what i want to do ? :) Thanks a lot ! below an extract of my pf rules: nat on $ext_if from !$ext_if to any -> $firewall_pub nat-anchor "ftp-proxy/*" binat on $ext_if from $dns1_priv to any -> $dns1_pub binat on $ext_if from $dns2_priv to any -> $dns2_pub binat on $ext_if from $web_ville_priv to any -> $web_ville_pub binat on $int_if from $web_ville_priv to any -> $web_ville_pub rdr-anchor "ftp-proxy/*" rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp -> lo0 port 8021 ... pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021 pass in quick log on $int_if inet proto tcp from <acces_ftp_direct> to lo0 port 8021 anchor "ftp-proxy/*" ...