System: OpenBSD 4-9 i386 I am pasting a link to the entire PF ruleset.
http://pastebin.com/vdbidqAL I would be grateful if someone more knowledgeable about PF would explain to me why I can't browse an FTP server (eg., ftp.heanet.ie) from a client (eg., Firefox) behind the firewall with the rules as they stand. Allowing all traffic to pass out on the external interface does allow FTP to pass but I want to tighten up the rule so that it references traffic destined for port 21. As I understand it ftp-proxy connects to port 21 on the server but from what I can tell by running tcpdump on pflog0 the ftp client is opening up a channel to port 21 *and* to another high port. I thought the idea of ftp-proxy was to open the channel to port 21 on the server and then to control the NAT mappings and data channel ports. Other recommendations to tighten or optimise the ruleset are welcome as well.
