> > > # vi /etc/inetd.conf > > xx.yy.zz.ww:21 stream tcp nowait root > > /usr/libexec/ftp-proxy ftp-proxy > > This doesn't look like the syntax described in the patched > ftp-proxy(8): > -R address:[port] > Reverse proxy mode for FTP servers running behind a > NAT gateway. > In this mode, no redirection is needed. The proxy > is run from > inetd(8) on the port that external clients connect > to (usually > 21). Control connections and passive data > connections are for- > warded to the server. > So you should add e.g. -R 192.168.0.2.
I don't think I understand this. What should the line in inetd.conf read? There aren't examples in the man page for -R and I've tried about 30 iterations so far of the syntax for that line and none seem to work. > If you can binat, you don't need to use ftp-proxy reverse > mode. Reverse mode is necessary if you only have one external > IP address. I've been trying this with various pass in's pass out's and rdr's. I cannot make ftp work. Does anyone have a few lines from a sample ruleset to accomplish this? I've tried many iterations of allows and blocks and rdrs and binats with no success. > > Can you show us your pf.conf? > Here is the pf.conf I'm using at the moment for testing to make this work: nat on fxp0 from 10.1.1.0/24 to any -> 1.2.3.4 rdr on fxp0 proto tcp from 209.61.182.33 to 1.2.3.5 port 25 -> 10.1.1.10 port 25 binat on fxp0 from 10.1.1.10 to any -> 1.2.3.6 pass in all keep state pass out all keep state I've made it as simple as possible and still I cannot get to my ftp server using the ftp-proxy in reverse mode (although I doubt now that I'm launching it correctly from inetd) or though active or passive ftp client on the internet with the permissive ruleset and the binat'ing.
