Hi all,
(First, sorry if you receive this e-mail multiple times,
I changed my smtp server as the first one doesn't seem
to get mails to this list.)
my firewall (OpenBSD 4.7) is running packet filter with NAT
and tcp-proxy to provide FTP for hosts in the network behind
the firewall/NAT.
The problem is that a host behind the firewall, connecting
to an FTP server in the internet through the firewall, active
mode works but passive doesn't. On firewall's external
interface I can see packets going to the FTP server but no reply
packets.
Trying FTP directly from the firewall, passive mode works but active
doesn't (ftp client says "425 Could not open data connection
to port 55476: Connection refused"). In this case ftp-proxy is
not used as the firewall should be just like any other ftp client.
I have updated my pf.conf as per the 4.7 upgrade instructions
and I have run tcpdump to network interfaces as well as pflog0,
but so far I don't understand what might be wrong. I tried to
see pf rules or states inserted by ftp-proxy with commands like
'pfctl -a "ftp-proxy/*" -sr' but either it doesn't print anything
and trying 'pfctl -a '*' -sr' I get:
....
anchor "*" all {
pfctl: DIOCGETRULES: Invalid argument
}
...
Any help appreciated. It is not a showstopper but pretty annoying,
as e.g. Firefox defaults to passive mode.
Teemu
