See if this works for you. Using the ftp proxy with binat probably will not work. Lets say 100.20.30.40 is the external ip.
# cat /etc/rc.local /usr/sbin/ftp-proxy -a 100.20.30.40 -p 8021 -q bulk # cat /etc/pf.conf ################ Translation ############################### rdr on $DMZIf inet proto tcp from $DMZ to any port ftp -> lo0 port 8021 ################ Filtering ################################# pass in log on $DMZIf inet proto tcp from $DMZ to lo0 port 8021 $TcpState $FtpIntIf Ftp-Proxy "how to" (forward and reverse proxy) https://calomel.org/ftp_proxy.html -- Calomel @ https://calomel.org Open Source Research and Reference On Tue, Sep 30, 2008 at 01:09:25PM +0200, Com??te wrote: >Hi, > >i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN >and 1 DMZ >I use ftp-proxy to allow ftp client connexions from my LAN and it works >well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they >have all one different public IP. So, i use binat rules to nat them >easily and it works fine too. >But i need to allow these servers on DMZ to make FTP client connexions >to external servers too. So I have put a rdr rule like the one i did for >my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't >work, i can only connect to external FTP servers from my DMZ servers if >disable the binat rule associated with the server which try to connect. > >My question is, is there a mean to do what i want to do ? :) > >Thanks a lot ! > >below an extract of my pf rules: > >nat on $ext_if from !$ext_if to any -> $firewall_pub >nat-anchor "ftp-proxy/*" > >binat on $ext_if from $dns1_priv to any -> $dns1_pub >binat on $ext_if from $dns2_priv to any -> $dns2_pub >binat on $ext_if from $web_ville_priv to any -> $web_ville_pub >binat on $int_if from $web_ville_priv to any -> $web_ville_pub > >rdr-anchor "ftp-proxy/*" >rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp -> lo0 >port 8021 > >... > >pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021 >pass in quick log on $int_if inet proto tcp from <acces_ftp_direct> to >lo0 port 8021 >anchor "ftp-proxy/*" > >...