Man ftp-proxy (8) (obsd 3.7) says this:
ftp-proxy accepts the redirected control connections and forwards them to
the server. The proxy replaces the address and port number that the
client sends through the control connection to the server with its own
address and proxy port, where it listens for the data connection. When
the server opens the data connection back to this port, the proxy for-
wards it to the client. The pf.conf(5) rules need to let pass connec-
tions to these proxy ports (see options -u, -m, and -M above) in on the
external interface. The following example allows only ports 49152 to
65535 to pass in statefully:
block in on $ext_if proto tcp all
pass in on $ext_if inet proto tcp from any to $ext_if \
port > 49151 keep state
Alternatively, rules can make use of the fact that by default,
ftp-proxy
runs as user "proxy" to allow the backchannel connections, as in the
fol-
lowing example:
block in on $ext_if proto tcp all
pass in on $ext_if inet proto tcp from any to $ext_if \
user proxy keep state
These examples do not cover the connections from the proxy to the
foreign
FTP server. If one does not pass outgoing connections by default addi-
tional rules are needed.
I have ports 5500:5700 opened for the data channel, what "additional rules"
are needed? I've tried the rules in
http://cvs.openbsd.org/faq/pf/ftp.html#natserver but they do not work. I
cannot connect to my ftp server from outside the network.
Thanks,
--
-Christopher
