On 2010-03-12, Christopher Zimmermann <[email protected]> wrote: > On Fri, 12 Mar 2010 00:23:00 +0000 (UTC) Stuart Henderson wrote: >> > As I understand it, ftp-proxy could be used to create rules for >> > inbound and outbound connections on 4.6. Now on -current the rdr >> > keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) >> > suggests using rdr-to, but this only works for inbound >> > connections. >> > >> > Is it possible to allow ftp connections from a local client to >> > public ftp serves on the internet? Possibly by using ftp-proxy? >> >> I suspect your understanding of "inbound" is from the viewpoint >> of your network; PF doesn't care about that at all, it's only >> concerned with whether a packet is inbound or outbound to a >> particular interface. > > ok, thanks. Thats clear. I don't have a whole net. Its just a > single workstation, using pppoe0 to reach the internet. So the > ftp client is running on the firewall, not behind it. The packets > will be outbound on my pppoe0, but not inbound any any interface, > will they? > >> rdr only works for inbound connections too. > > As I unterstood it, it works _only_ for inbound connections.
yes, that's what I said; there's no change though: in 4.6, rdr only works for inbound connections in -current rdr-to only works for inbound connections ftp-proxy never was applicable to this sort of situation.. > it seems to me that it is in fact not possible at the moment to > use a ftp-client on a firewall until the current restrictio on > rdr-to in pfctl will be removed. Is this true? you'll need add rules to allow the connections through if you want to do this.
