Man ftp-proxy (8) (obsd 3.7) says this: ftp-proxy accepts the redirected control connections and forwards them to the server. The proxy replaces the address and port number that the client sends through the control connection to the server with its own address and proxy port, where it listens for the data connection. When the server opens the data connection back to this port, the proxy for- wards it to the client. The pf.conf(5) rules need to let pass connec- tions to these proxy ports (see options -u, -m, and -M above) in on the external interface. The following example allows only ports 49152 to 65535 to pass in statefully:
block in on $ext_if proto tcp all pass in on $ext_if inet proto tcp from any to $ext_if \ port > 49151 keep state Alternatively, rules can make use of the fact that by default, ftp-proxy runs as user "proxy" to allow the backchannel connections, as in the fol- lowing example: block in on $ext_if proto tcp all pass in on $ext_if inet proto tcp from any to $ext_if \ user proxy keep state These examples do not cover the connections from the proxy to the foreign FTP server. If one does not pass outgoing connections by default addi- tional rules are needed. I have ports 5500:5700 opened for the data channel, what "additional rules" are needed? I've tried the rules in http://cvs.openbsd.org/faq/pf/ftp.html#natserver but they do not work. I cannot connect to my ftp server from outside the network. Thanks, -- -Christopher