Hello, Before posting I acknowledge I have read the FAQ.. based on that this is my PF config:
t_externa = "re0" set block-policy drop set loginterface $t_externa set limit states 100000 set limit frags 300000 set limit src-nodes 50000 set optimization aggressive set skip on lo0 set debug urgent scrub in on $t_externa all scrub out on $t_externa all random-id nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on $t_externa proto tcp from any to any port 21 -> 127.0.0.1 port 8021 block all anchor "ftp-proxy/*" antispoof quick for { lo } #SSH pass in quick on $t_externa inet proto tcp from any to ($t_externa) \ port 22 flags S/SA modulate state ##DNS pass out log quick on $t_externa inet proto { tcp, udp } from ($t_externa) to any \ port 53 keep state ##FTP pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port ftp flags S/SA modulate state pass out log quick on $t_externa inet proto tcp from ($t_externa) to any \ port 8021 flags S/SA modulate state If I do block log all .. a tcpdump on pflog recieves this: May 25 20:03:55.067671 rule 0/(match) block out on re0: 58.46.80.70.46330 > 129.128.5.191.64072: S 1312607360:1312607360(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF) May 25 20:03:55.375881 rule 0/(match) block in on re0: 129.128.5.191.20 > 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF) May 25 20:04:01.372812 rule 0/(match) block in on re0: 129.128.5.191.20 > 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF) May 25 20:04:13.373244 rule 0/(match) block in on re0: 129.128.5.191.20 > 58.46.80.70.63627: S 1300023739:1300023739(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF) 58 is my IP, 129 is ftp.openbsd.org I have also made sure that ftp-proxy is running, if I do telnet localhost 8021 I get: orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. Which I think suggests that iam running it correctly. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. orion:~$telnet localhost 8021 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host My conclusion is that somehow the rdr part to port 8021 isnt taking place.. so the communication isnt channeled to the proxy..? pfctl -s all reads: # pfctl -s all TRANSLATION RULES: nat-anchor "ftp-proxy/*" all rdr-anchor "ftp-proxy/*" all rdr log on re0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 FILTER RULES: scrub in on re0 all fragment reassemble scrub out on re0 all random-id fragment reassemble block drop all anchor "ftp-proxy/*" all block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick on ! lo inet6 from ::1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick inet from 127.0.0.1 to any pass in quick on re0 inet proto tcp from any to (re0) port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = ssh flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = domain flags S/SA keep state pass out quick on re0 inet proto udp from (re0) to any port = domain keep state pass out quick on re0 inet proto tcp from (re0) to any port = ftp flags S/SA modulate state pass out quick on re0 inet proto tcp from (re0) to any port = 8021 flags S/SA modulate state No queue in use I have also started ftp.proxy with and without the -r flag. Thank you. Andres