Teemu, We have to be careful when testing ftp. Different ftp binaries for different OS's use different default options. For example, the ftp binary on OpenBSD v4.7 uses passive ftp by default, so the the commands "ftp" and "ftp -p" are exactly the same. Some older Solaris machines use active only and ftp on Ubuntu 10.04 uses active by default.
Passive should work from your firewall, but active (PORT) probably will not. Active will only work if you accept a connection from any ip from port 20 to any upper port on the firewall. Not very common. The machine behind the firewall should be able to do active and passive because the ftp-proxy, if setup correctly, will anchor the proper rules to allow both connection types. For more testing you can setup the ftp-proxy daemon to log its connections to /var/log/daemon using, "/usr/sbin/ftp-proxy -D7 -v". You may also want to add the "log" variable to your Pf rules so you can watch the logs with "tcpdump -n -e -ttt -v -i pflog0". Then make sure you are using the correct ftp arguments for your ftp binary to make a passive and active connection on your LAN machine. Check the man page on the machine behind the firewall. Once you have a reliable set of test responses you should have a better idea of where the problem is. Make sense? BTW, we have examples of Pf and ftp-proxy on our site; see signature. I checked out your pf.conf. If you have time you may want to try putting your ps3 and NHL10 rules in an anchor to clean things up. How about adding QOS so the gamers get higher network priority? :) -- Calomel @ https://calomel.org Open Source Research and Reference On Thu, Jun 03, 2010 at 02:14:53AM -0400, Teemu Rinta-aho wrote: >On Jun 3, 2010, at 3:51 AM, Calomel Org wrote: > >> Teemu, >> >> Are you sure the ftp server you are connecting to supports active and >> passive ftp? You may want to try your test against ftp.openbsd.org. > >That is a very good point. I thought so as I got both modes working >from different nodes, but I am not sure any more. I tried to >ftp.openbsd.org and the results are different indeed. > >>From a host behind my pf machine: > >host$ ftp ftp.openbsd.org >Connected to openbsd.sunsite.ualberta.ca. >ftp> ls >229 Entering Extended Passive Mode (|||60318|) >ftp: Can't connect to `129.128.5.191': Connection refused >200 EPRT command successful. >150 Opening ASCII mode data connection for '/bin/ls'. >total 8 >drwxr-xr-x 2 0 0 512 May 4 2009 etc >drwxr-xr-x 3 0 0 512 Jul 21 2009 pub >226 Transfer complete. > >host$ ftp -p ftp.openbsd.org >Connected to openbsd.sunsite.ualberta.ca. >ftp> ls >229 Entering Extended Passive Mode (|||63762|) >ftp: Can't connect to `129.128.5.191': Connection refused > >>From the pf machine: > >fw$ ftp ftp.openbsd.org >Connected to openbsd.sunsite.ualberta.ca. >ftp> ls >150 Opening ASCII mode data connection for '/bin/ls'. >total 8 >drwxr-xr-x 2 0 0 512 May 4 2009 etc >drwxr-xr-x 3 0 0 512 Jul 21 2009 pub >226 Transfer complete. > >fw$ ftp -p ftp.openbsd.org >Connected to openbsd.sunsite.ualberta.ca. >ftp> ls >150 Opening ASCII mode data connection for '/bin/ls'. >total 8 >drwxr-xr-x 2 0 0 512 May 4 2009 etc >drwxr-xr-x 3 0 0 512 Jul 21 2009 pub >226 Transfer complete. > >If that doesn't ring a bell and you still have time and >interest, my pf.conf is at http://www.rinta-aho.org/tmp/pf.conf > >Thanks! > >Teemu
