On Tue, Jul 10, 2007 at 08:15:21PM +0000, Joseph Cheng wrote:
> Hello.. I have read the ftp section in the pf faq here
> http://openbsd.org/faq/pf/ftp.html and got it to work with internal ftp
> clients.
> But does someone have a pf.conf example where internal ftp clients connect to
> active and passive ftp sites on the internet AND where pf is protecting a ftp
> server on the lan behind the pf firewall? Where I'm not clear about is if two
> instances of ftp-proxy have to run one for the ftp clients connecting to
> external servers and one for the internal ftp server then how to refer to each
> in pf.conf TIA!
Like this (this uses the implied 'flags S/SA keep state' of 4.1 and
later):
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from $int_if:network to $ext_if:0
anchor "ftp-proxy/*"
block quick inet6
block log(user)
pass in proto tcp to 127.0.0.1 port 8021
pass in proto tcp to 127.0.0.1 port 8022
pass out proto tcp to { $ftp_server !<protected_networks>} user proxy
pass in proto tcp from { $ftp_server !<protected_networks>} user proxy
You then run two ftp-proxy instances; one in the standard way, and
another with 'ftp-proxy 192.168.0.1 -p 8022 -R $FTP_SERVER' in
/etc/rc.local. Increase the number of sessions (-m) if desired.
Joachim
--
ftp-proxy (8) - Internet File Transfer Protocol proxy daemon
