Hi all, (First, sorry if you receive this e-mail multiple times, I changed my smtp server as the first one doesn't seem to get mails to this list.)
my firewall (OpenBSD 4.7) is running packet filter with NAT and tcp-proxy to provide FTP for hosts in the network behind the firewall/NAT. The problem is that a host behind the firewall, connecting to an FTP server in the internet through the firewall, active mode works but passive doesn't. On firewall's external interface I can see packets going to the FTP server but no reply packets. Trying FTP directly from the firewall, passive mode works but active doesn't (ftp client says "425 Could not open data connection to port 55476: Connection refused"). In this case ftp-proxy is not used as the firewall should be just like any other ftp client. I have updated my pf.conf as per the 4.7 upgrade instructions and I have run tcpdump to network interfaces as well as pflog0, but so far I don't understand what might be wrong. I tried to see pf rules or states inserted by ftp-proxy with commands like 'pfctl -a "ftp-proxy/*" -sr' but either it doesn't print anything and trying 'pfctl -a '*' -sr' I get: .... anchor "*" all { pfctl: DIOCGETRULES: Invalid argument } ... Any help appreciated. It is not a showstopper but pretty annoying, as e.g. Firefox defaults to passive mode. Teemu