On Tue, 2 Oct 2007, Falk Brockerhoff wrote: > When I try to connect a ftp daemon "behind" the firewall I can see the > following entry in /var/log/messages > > /var/log/messages.2.gz:Oct 2 09:58:32 buffy ftp-proxy[21285]: #478593 > proxy cannot connect to server 195.225.xx.yy: No route to host > > I can try this several times, same result. In the meantime I'm able to > ping the target host on the cli of the firewall.
A better test would be to try if you can "nc <target> 21" from the firewall. > > I'd guess that pf is blocking the control (port 21) connection for some > > reason. Do you have limits on states, either globally or per rule? > > Maybe the limitations exists in ftp-proxy and not the firewall? > /etc/rc.conf.local says: > ftpproxy_flags="-a <loopback-ip> -m 500" Please don't edit the information... Did you use "127.0.0.1" or some other IP that's not routable for the loopback-ip ? > What will happen when the maximum of 500 sessions is arrived? "No route > to host" seems not to be the expacted message :) That's not it. If you reach the maximum you'll see something like "client limit reached". Can you show your NAT rules? And the information of "pfctl -si" when the problem happens? -- Cam
