On 2007/08/21 10:15, Chris Smith wrote: > On Tuesday 21 August 2007, Stuart Henderson wrote: > > in -current ftp-proxy can add tags, you can then pass the traffic > > using a rule that matches those tags (e.g. "tagged ftpproxy") and set > > a label on that pass rule. > > Hello, > > Was actually looking at that last night but it didn't work the way I > expected. > I guess I don't know exactly when the tag gets applied. > > Scenario: 'ftp=proxy -T FTP_PROXY', anchors and rdr in place. With pass rule: > > pass out on $ext_if proto tcp from ($ext_if) to any port 21 tagged FTP_PROXY > flags S/SA keep state > > ftp client on network fails > > if I remove the 'tagged' portion: > > pass out on $ext_if proto tcp from ($ext_if) to any port 21 flags S/SA keep > state > > ftp client works fine > > Where am I going wrong?
The tag is added to the rules added dynamically by ftp-proxy for the data channel on the high-numbered port. The manually-added pf.conf rule for the control connection (on port 21) is unaffected by this change.
