I realize that this is not a pf problem, but I also believe that readership here has the expertise to solve this problem.
I am trying to use ftp-proxy with pf, it works for passive mode, but fails for active mode. What follows (slightly edited) is a conversation from a Windows XP machine (source.thinkage.ca) using the cygwin ftp which logs on anonymous by its self. (I get the same using Microsoft's ftp) ~~$ ftp -d ftp.openbsd.org Connected to openbsd.sunsite.ualberta.ca. 220- 220- Welcome to SunSITE Alberta 220- 220- at the University of Alberta, in Edmonton, Alberta, Canada 220- 220-All connections to and transfers from this server are logged. If 220-you do not like this policy, please disconnect now. 220- 220-You may want to grab the index file called "ls-lR.gz" in /pub. It is 220-updated nightly with the contents of the ftp tree. 220- 220- If you have any questions, hints, or requests, please email 220- 220- [EMAIL PROTECTED] 220- 220 ---> USER anonymous 331 Who are you impersonating today? ---> PASS XXXX 230- 230- Welcome to Sunsite Alberta 230- Login Successful. 230 Your data rate unrestricted ---> SYST 215 UNIX Type: L8 Remote system type is UNIX. Using binary mode to transfer files. ftp> ls ---> PORT 192,102,11,8,12,170 200 PORT command successful - not using PASV eh? ---> LIST 150 Have a Gorilla. There is never a response back from the "LIST" command This generated a pflog of (The port numbers are not quite right the output was gathered over several attempts) "outside" is the IP address of the outside of the firewall and "gateway" is the address of the inside of the firewall "source" is where the ftp request started the redirected conversation to ftp-proxy is not visible because I could not put a log on the "rdr" pass out on ste0: outside.thinkage.ca.58157 > openbsd.sunsite.ualberta.ca.ftp: S 2560781418:2560781418(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]> (DF) pass in on ste0: openbsd.sunsite.ualberta.ca.ftp-data > outside.thinkage.ca.50622: S 236919090:236919090(0) win 8760 <mss 1460> (DF) pass out on fxp0: gateway.thinkage.ca.59222 > source.thinkage.ca.5003: S 2724013282:2724013282(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]> pass out on ste0: outside.thinkage.ca.54441 > openbsd.sunsite.ualberta.ca.ftp-data: F 3086174700:3086174700(0) ack 211028790 win 17520 (DF) pass out on ste0: outside.thinkage.ca.50622 > openbsd.sunsite.ualberta.ca.ftp-data: F 3961007529:3961007529(0) ack 236919496 win 17520 (DF) The trouble is the XP computer is waiting for packets from openbsd.sunsite.ualberta.ca on port ftp-data and is ignoring those from gateway.thinkage.ca on port 59222. And I think the ftp client is right to ignore these packets. Out of curiosity I also tried running the ftp-proxy as root. Then the port is correct, put the packet is still from the wrong address and the packets are still ignored. pass out on ste0: outside.thinkage.ca.60139 > openbsd.sunsite.ualberta.ca.ftp: S 3173265442:3173265442(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]> (DF) pass in on ste0: openbsd.sunsite.ualberta.ca.ftp-data > outside.thinkage.ca.53159: S 4267916550:4267916550(0) win 8760 <mss 1460> (DF) pass out on fxp0: gateway.thinkage.ca.ftp-data > source.thinkage.ca.5002: S 2502655302:2502655302(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]> pass out on ste0: outside.thinkage.ca.51487 > openbsd.sunsite.ualberta.ca.ftp-data: F 2857467745:2857467745(0) ack 4225448704 win 17520 (DF) pass out on ste0: outside.thinkage.ca.53159 > openbsd.sunsite.ualberta.ca.ftp-data: F 3120064161:3120064161(0) ack 4267916956 win 17520 (DF) I don't find any information on ftp-proxy not working for active mode, so I am doing something wrong, but I don't know what.
