On Fri, 12 Mar 2010 00:23:00 +0000 (UTC) Stuart Henderson wrote:
> On 2010-03-11, Christopher Zimmermann <madro...@zakweb.de> wrote:
> > Hi,
> >
> > my -current firewall is configured to block all in, block all out
> > and allow only certain outbound connections.
> >
> > Now I want to allow outbound ftp connections.
> >
> > I read ftp-proxy(8) and
> > http://openbsd.org/faq/pf/ftp.html#client.
> >
> > As I understand it, ftp-proxy could be used to create rules for
> > inbound and outbound connections on 4.6. Now on -current the rdr
> > keyword is missing from the pf.conf syntax. Instead ftp-proxy(8)
> > suggests using rdr-to, but this only works for inbound
> > connections.
> >
> > Is it possible to allow ftp connections from a local client to
> > public ftp serves on the internet? Possibly by using ftp-proxy?
>
> I suspect your understanding of "inbound" is from the viewpoint
> of your network; PF doesn't care about that at all, it's only
> concerned with whether a packet is inbound or outbound to a
> particular interface.
ok, thanks. Thats clear. I don't have a whole net. Its just a
single workstation, using pppoe0 to reach the internet. So the
ftp client is running on the firewall, not behind it. The packets
will be outbound on my pppoe0, but not inbound any any interface,
will they?
> rdr only works for inbound connections too.
As I unterstood it, it works _only_ for inbound connections.
> A rule like the following works just fine for a ftp connection
> from a local client to a public ftp server:
>
> pass in quick log on {lan, wifi, natted} inet proto tcp \
> to port 21 rdr-to 127.0.0.1
Isn't this just the example from the default pf.conf with
"on {...}" added and port 8021 left away?
After reading http://www.openbsd.org/faq/current.html#20090901
it seems to me that it is in fact not possible at the moment to
use a ftp-client on a firewall until the current restrictio on
rdr-to in pfctl will be removed. Is this true?
Chrisotpher
