[SNIP] > > > > > rdr on $int_if proto tcp from any to any port > > 21 -> 127.0.0.1:8021 > > > > > > 127.0.0.1:8021 stream tcp nowait root > > /usr/libexec/ftp-proxy > > > > ftp-proxy -n > > > > > > pass in on $ext_if inet proto tcp from any to > > $ext_if \ > > > > user proxy keep state > > > > I notcied that with the above rules internal clients > > can do pasive > > ftp fine, but active ftp wont work, pf drops the > > packets from > > the remote host from port 20 to a high port here. > > I dont know quickly how to remedy this, any hints? > > Get into logging and then provide us with some facts.
Okay, i only logged the blocked packets if you need more, please tell. I tried to make an active ftp connection to ftp.openbsd.org I am doing nat, here's the ouput from fstat | grep proxy: proxy ftp-proxy 851 wd / 2 drwxr-xr-x 512 r proxy ftp-proxy 851 0* internet stream tcp c19b24f0 127.0.0.1:8021 <-> 10.1.1.10:2545 proxy ftp-proxy 851 1* internet stream tcp c19b24f0 127.0.0.1:8021 <-> 10.1.1.10:2545 proxy ftp-proxy 851 2* internet stream tcp c19b24f0 127.0.0.1:8021 <-> 10.1.1.10:2545 proxy ftp-proxy 851 3* unix dgram c19e3000 <-> c1938c40 proxy ftp-proxy 851 4* internet stream tcp c19b2b1c 82.161.169.153:56634 <-> 129.128.5.191:21 proxy ftp-proxy 851 5* internet stream tcp c19b262c *:55674 the last line is the ftp_proxy waiting for a connection from ftp.openbsd.org on port 55674, but the syn packet is allrdy is dropped: Output from pflog0: 4. 422299 rule 1/0(match): block in on wm0: IP (tos 0x0, ttl 242, id 58380, offset 0, flags [DF], length: 44, bad cksum d0ab (->2145)!) 129.128.5.191.20 > 82.161.169.153.55674: S [tcp sum ok] 693991520:693991520(0) win 8760 <mss 1460> Any hints? Bye, Mipam.
