On Mon, Feb 23, 2009 at 10:50 AM, Karl O. Pinc <[email protected]> wrote:
> Tagging does not (necessarily) enter into ftp, if I understand
> your setup. You run different instances of ftp-proxy on different
> ports, so the rdr takes care of that. Then you use
> the -a argument to ftp-proxy to so that the "right"
> nic is used for each ftp-proxy running, where "right"
> means the interface that the passive mode data connection
> is natt-ed to or otherwise transits so that passive mode f
> tp works.
When dealing with IP aliases I've found that simply running different
instances of ftp-proxy using -a works just fine. But in this case
packets are getting routing normally - through the gateway interface.
However, when not routing normally, that is using route-to instead of
the routing tables default gateway, ftp for the inside clients is not
working. I'm guessing I need to use the -T argument, tag the packets
and use some route-to and/or reply-to rules to get it to all work.
>From man ftp-proxy:
======================================================
-T tag The filter rules will add tag tag to data connections, and not
match quick. This way alternative rules that use the tagged key-
word can be implemented following the ftp-proxy anchor. These
rules can use special pf(4) features like route-to, reply-to, la-
bel, rtable, overload, etc. that ftp-proxy does not implement it-
self.
======================================================
The last group of pass-out rules from the pf.conf (in case this helps):
======================================================
pass out on $ext_if route-to ( $wow_4_if $wow_4_gw ) from $wow_4_if
pass out on $ext_if route-to ( $wow_8_if $wow_8_gw ) from $wow_8_if
pass out on $wow_4_if route-to ( $wow_8_if $wow_8_gw ) from $wow_8_gw
pass out on $wow_4_if route-to ( $ext_if $ext_gw ) from $ext_gw
pass out on $wow_8_if route-to ( $wow_4_if $wow_4_gw ) from $wow_4_gw
pass out on $wow_8_if route-to ( $ext_if $ext_gw ) from $ext_gw
======================================================
Chris
