hello all, I set up my firewall as described in ftp-proxy(8) in order to make ftp work.
my setup: [comp 1]-----[gateway/firewall]-----Internet The problem is that ftp (both active and passive mode) only works on comp 1. When I try to connect to a ftp server from my firewall machine I can log in normally but when I try to transfer some data pf blocks it. I think the problem might be that ftp traffic from my firewall machine doesn't go through the proxy at all, so ftp-proxy doesn't create any rules for it. For example if I open a ftp connection from comp 1 I get: [EMAIL PROTECTED] ~$ pfctl -sA -v ftp-proxy ftp-proxy/26261.5 but if I do the exacted same thing from my firewall machine I only get: [EMAIL PROTECTED] ~$ pfctl -sA -v ftp-proxy So can someone please tell me how to make the proper corrections to make ftp work from the firewall as well. some useful information: [EMAIL PROTECTED] ~$ uname -a OpenBSD pika.zbontar.org 3.9 GENERIC#617 i386 [EMAIL PROTECTED] ~$ cat /etc/pf.conf # macros ext_if = "tun0" int_if = "we0" lan = $int_if:network proxy = "(" $ext_if ")" # nat nat on $ext_if from $int_if to any -> ($ext_if) # ftp-proxy (from man page) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $int_if proto tcp from $lan to any port 21 -> \ 127.0.0.1 port 8021 # default deny block all # more ftp-proxy related rules anchor "ftp-proxy/*" pass out proto tcp from $proxy to any port 21 keep state # allow name resolution pass out on $ext_if proto { tcp udp } to port domain keep state # allow traffic on $int_if pass on $int_if [EMAIL PROTECTED] ~$ ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:60:97:2d:dd:dd media: Ethernet 10baseT (10baseT half-duplex) status: active inet6 fe80::260:97ff:fe2d:dddd%xl0 prefixlen 64 scopeid 0x1 we0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:c0:e6:27:94 media: Ethernet 10base2 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::200:c0ff:fee6:2794%we0 prefixlen 64 scopeid 0x2 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224 pfsync0: flags=0<> mtu 1460 enc0: flags=0<> mtu 1536 tun0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1492 groups: tun egress inet 213.250.22.254 --> 213.250.19.90 netmask 0xffffffff [EMAIL PROTECTED] ~$ cat /etc/rc.conf.local pf=YES ftpproxy_flags="" regards, Jure