On 2010-03-11, Christopher Zimmermann <madro...@zakweb.de> wrote:
> Hi,
>
> my -current firewall is configured to block all in, block all out
> and allow only certain outbound connections.
>
> Now I want to allow outbound ftp connections.
>
> I read ftp-proxy(8) and
> http://openbsd.org/faq/pf/ftp.html#client.
>
> As I understand it, ftp-proxy could be used to create rules for
> inbound and outbound connections on 4.6. Now on -current the rdr
> keyword is missing from the pf.conf syntax. Instead ftp-proxy(8)
> suggests using rdr-to, but this only works for inbound
> connections.
>
> Is it possible to allow ftp connections from a local client to
> public ftp serves on the internet? Possibly by using ftp-proxy?
I suspect your understanding of "inbound" is from the viewpoint
of your network; PF doesn't care about that at all, it's only
concerned with whether a packet is inbound or outbound to a
particular interface.
rdr only works for inbound connections too.
A rule like the following works just fine for a ftp connection
from a local client to a public ftp server:
pass in quick log on {lan, wifi, natted} inet proto tcp \
to port 21 rdr-to 127.0.0.1
