Steve,
Sorry about giving you an answer which was a bit off.
Of course Daniel Hartmeier is right with regard to the negation.
I also just noticed that your pflog0 dump actually says pass instead of block.
Must have been the effects of a slight flu I'm suffering from.
Good that you have it working now.
Regards,
Daniel
==== Original message from Daniel Polak at 9-11-2004 0:04
==== Original message from Maat, Steve at 8-11-2004 23:21
Some internal ftp clients do not appear to be working through a new OpenBSD (3.6) pf firewall configured with ftp-proxy.
I am trying prevent several clients from being redirected by the ftp-proxy since they can't seem to handle the way ftp-proxy takes over the ftp-session. I am not sure if they cannot handle the change in the tcp/ip address or if it's a port issue (XP with SP2 firewall = BAD, XP without SP2 firewall = good)
Anyway, is this a valid rule for the ftp-proxy rdr rule:
rdr on em0 proto tcp \ from { !152.12.29.195 , 152.12.0.0/16 } \ to any port 21 -> 127.0.0.1 port 8021
I've made the change to pf.conf, flushed rules, state & nat and reloaded pf.conf, but when monitoring pflog0 during the ftp session I still see the following:
Nov 08 17:03:21.009015 rule 1008/0(match): pass in on em0: 152.12.29.195.2514 > 127.0.0.1.8021: S 1646188028:1646188028(0) win 64512 <mss 1460,nop,nop,sackOK>
Steve,
A rdr rule is not the same as a pass rule.
You probably also need a rule like:
pass in quick on em0 proto tcp from { !152.12.29.195 , 152.12.0.0/16 } to 127.0.0.1 port 8021
Check what rule 1008 is with pfctl -v -v -s rules | grep @ | more. That should help you find out what rule is blocking the FTP transfer.
Daniel