On 2010-03-11, Christopher Zimmermann <madro...@zakweb.de> wrote: > Hi, > > my -current firewall is configured to block all in, block all out > and allow only certain outbound connections. > > Now I want to allow outbound ftp connections. > > I read ftp-proxy(8) and > http://openbsd.org/faq/pf/ftp.html#client. > > As I understand it, ftp-proxy could be used to create rules for > inbound and outbound connections on 4.6. Now on -current the rdr > keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) > suggests using rdr-to, but this only works for inbound > connections. > > Is it possible to allow ftp connections from a local client to > public ftp serves on the internet? Possibly by using ftp-proxy?
I suspect your understanding of "inbound" is from the viewpoint of your network; PF doesn't care about that at all, it's only concerned with whether a packet is inbound or outbound to a particular interface. rdr only works for inbound connections too. A rule like the following works just fine for a ftp connection from a local client to a public ftp server: pass in quick log on {lan, wifi, natted} inet proto tcp \ to port 21 rdr-to 127.0.0.1