Hello,
in migrating our netfilter box to a pf box I need to solve one remaining
problem: Passive FTP (sigh)
I've read "PF: Issues with FTP" carefully and tried to setup
ftp-proxy(8) on the firewall. Now it seems I have a fundamental
misunderstanding on how it should work.
My client is 172.16.3.99
An example FTP server is 195.135.221.132
Of course, I do NAT on the pf box, that routes traffic from LAN to the
Internet. The mentioned rdr rule works, so traffic on 21 is redirected
to localhost:8021 ... However, thought the initial control connection is
redirected, the subsequent ones are not. tcpdump output:
pass in on em0: 172.16.3.99.35563 > 127.0.0.1.8021
block in on em0: 172.16.3.99.57611 > 195.135.221.132.46778
Does that mean I have to open all client's outgoing ports to 'any' just
to get passive ftp running? Or do I need a second rule that redirects
subsequent things to ftp-proxy as well?
Thanks for the help!
--
Stephan A. Rickauer
----------------------------
Institut f|r Neuroinformatik
Universitdt / ETH Z|rich
Winterthurerstriasse 190
CH-8057 Z|rich
Tel: +41 44 635 30 50
Sek: +41 44 635 30 52
Fax: +41 44 635 30 53
http://www.ini.ethz.ch
----------------------------
