Hi, I've read http://www.openbsd.org/faq/pf/ftp.html about what to do to allow ftp through the pf firewall, and have tried that but I still am having problems. I would like to be able to have rules that support both active and passive ftp. On my internal network there are different operating systems with different ftp clients. By the way I'm using OpenBSD 3.6 and my firewall provides NAT to the internal network.
Here's what I have in my inetd.conf: 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n Here's some of what I have in my pf.conf: ext_if = "fxp0" int_if = "sis0" network = "10.10.0.0/16" nat_protocols = "{ icmp, tcp, udp }" proto_options = "modulate state" tcpsrv_options = "flags S/SA" tcp_ports = "{ 21, 22, 25, 53, 80, 110, 443, 5190, 5999 }" # nat private network to single routable address nat on $ext_if inet proto $nat_protocols from $network to any -> ($ext_if) # ftp-proxy redirection rdr on $int_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021 pass in on $ext_if inet proto tcp from port 20 to $ext_if \ user proxy flags S/SA keep state pass out on $ext_if inet proto tcp from $ext_if to any \ port $tcp_ports $tcpsrv_options $proto_options How can I write rules that will support both active and passive ftp that will allow my internal machines to connect to external ftp sites. Let me know what is wrong with what I have. Thanks. Phusion