So I have an FTP server behind a pf firewall running generic 3.6, and am trying to run ftp-proxy in reverse mode. Active transfers work, but passive ones don't. I'm quite sure the firewall rules are right, because of the active transfers working, and because I can see the problem in the FTP logs. Here's the deal:
/etc/inetd.conf 127.0.0.1:8022 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -t 300 -S xxx.xxx.xxx.xxx -R yyy.yyy.yyy.yyy For what it's worth, I have another ftp-proxy set up in inetd.conf to run on port 8021 to proxy internal FTP clients. yyy is my FTP server's internal address, xxx is my firewall's external address. I started testing without the -S option and found that whenever I tried to go into passive mode, the server said I should open data connections to 127.0.0.1, as follows: <snipped login> Remote system type is UNIX. Using binary mode to transfer files. ftp> passive Passive mode on. ftp> ls 227 Entering Passive Mode (127,0,0,1,239,211) ftp: connect: Connection refused So I found out about the -S option, which I understand is supposed to change the 127,0,0,1 in the 227 response above to xxx.xxx.xxx.xxx. So I added that to inetd.conf, HUP'd inetd, and got exactly the same response. Any suggestions? I'm sure ftp-proxy is running my connection. pgrep ftp-proxy finds an ftp-proxy process when I log in with my ftp client, which goes away when I exit the ftp client again. ps auxw | grep `pgrep ftp-proxy` shows me the command line that ftp-proxy instance was started with, and it shows the -S option along with all the other options. fstat -p `pgrep ftp-proxy` returns a list of open handles, including sockets connected to my ftp server and to my home IP address. So as far as I can tell, ftp-proxy is running fine, but ignoring -S. Is there something obvious I've missed? Any suggestions are much appreciated. -Josh
