On Tue, 10 Apr 2007, Steve Mertz wrote: > I'm trying to setup a firewall that allows FTP in to a server that is NATd on > the other side. But that only allows access from one address outside the > firewall. > > Something like: > > Machine -> Internet -> Firewall/NAT -> FTP server > > I realize I need to use ftp-proxy to get through the NAT part of the firewall, > but I'm not having much luck with it so far. > > Here is what I have: > /usr/sbin/ftp-proxy -R 10.10.11.10 > > pf.conf: > > $dev_addr = machine that has access to ftp to this server. > $proxy_addr = "127.0.0.1" > > > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > rdr pass on $wan_if proto tcp from $dev_addr to $wan_if port ftp -> > $proxy_addr port 8021 > > block in all > block out all > anchor "ftp-proxy/*" > pass in proto tcp from $proxy_addr to any port 21 keep state
This last rule is the problem. You need to pass _out_ from the firewall, and not using the 127.0.0.1 address, but the address that the kernel will pick for the connection to the server (10.10.11.1?). Or you can try this: pass out proto tcp from any to port 21 keep state user proxy -- Cam
