On 2010-03-12, madro...@zakweb.de <madro...@zakweb.de> wrote: > >> > it seems to me that it is in fact not possible at the moment to >> > use a ftp-client on a firewall until the current restrictio on >> > rdr-to in pfctl will be removed. Is this true? >> >> you'll need add rules to allow the connections through if you want >> to do this.B > > So essentially I have to allow inbound connections to the range between > net.inet.ip.porthifirst > net.inet.ip.porthilast > for active ftp and allowing outbound connections from ports >1023 for > passive ftp?
yep. you can also restrict by userid if you like.