Hello again, and thanks for the replies. I forgot to mention that I was using the ftp proxy in ipnat.conf.
I added two lines to make sure it worked from the gateway itself, as well as the lan: map rtk0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp map rtk0 84.x.x.x/32 -> 0/32 proxy port ftp ftp/tcp At the end of this email are full filter conf files. Trying ftp ftp.netbsd.org, control commands are passed fine, but any data requests passively are blocked: ftp> ls 229 Entering Extended Passive Mode (|||61401|) 200 EPRT command successful. 421 Service not available, remote server timed out. Connection closed Corresponding blocked packets: 15/12/2004 20:38:04.660025 rtk0 @0:2 b 84.x.x.x,54650 -> 204.152.190.13,61401 PR tcp len 20 60 -S OUT 15/12/2004 20:38:04.968974 rtk0 @0:2 b 204.152.190.13,61392 -> 84.x.x.x,54649 PR tcp len 20 60 -S IN I have a default block out all, then pass out on port 21 keep state so these higher ports will get blocked if the ftp proxy doesn't do anything about it (which it doesn't seem to). Maybe I have configured ftp proxy wrong? I use 0/32 because the ip address of the external interface is provided from dhcp, which does change. I can't do anything about this. I have another question about this but I'll start a new thread. I could use policy and bandwidth throttling; but I have to keep a simple system as possible, and altq related things might go beyond this. Enforcing policy is not simple either due to the cicumstances of where this system is used. Thanks again for your help, Amadeus ======= ; this is an inital set of filters which will be refined with SYN out/reserved/short/frag packets later on when ftp works! ipf.conf: #OFFICE HOURS #loopback/internal interfaces: pass out from any to any pass in from any to any # external interface rtk0; icmp is ok block out log on rtk0 proto tcp/udp from any to any block in log on rtk0 proto tcp/udp from any to any # incoming ssh pass in quick on rtk0 proto tcp from any to any port = 22 flags S keep state # dhcpclient pass out quick on rtk0 proto udp from any to any port = 67 keep state # http for lan and this address pass out quick on rtk0 proto tcp from any to any port = 80 keep state # bind9 pass out quick on rtk0 proto tcp/udp from any to any port = 53 keep state # VPN pass out quick on rtk0 proto tcp from 192.168.0.0/24 to any port = 1723 keep state # Warcraft 3 pass out quick on rtk0 proto tcp from 192.168.0.0/24 to any port = 6112 keep sta te # MSN, AOL Messenger pass out quick on rtk0 proto tcp from 192.168.0.0/24 to any port = 1863 keep sta te pass out quick on rtk0 proto tcp from 192.168.0.0/24 to any port = 5050 keep sta te pass out quick on rtk0 proto tcp from 192.168.0.0/24 to any port = 5190 keep sta te # email pass out quick on rtk0 proto tcp from 192.168.0.0/24 to any port = 25 keep state pass out quick on rtk0 proto tcp from 192.168.0.0/24 to any port = 110 keep stat e pass out quick on rtk0 proto tcp from 192.168.0.0/24 to any port = 143 keep stat e # ssl pass out quick on rtk0 proto tcp from 192.168.0.0/24 to any port = 443 keep stat e # ssh pass out quick on rtk0 proto tcp from 192.168.0.0/24 to any port = 22 keep state # ftp pass out quick on rtk0 proto tcp from any to any port = 21 keep state ======= ipnat.conf: rdr ex0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp map rtk0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp map rtk0 84.x.x.x/32 -> 0/32 proxy port ftp ftp/tcp map rtk0 192.168.0.0/24 -> 0/32 portmap tcp/udp 10000:40000 map rtk0 192.168.0.0/24 -> 0/32
