On 2010/06/13 17:31, Rod Whitworth wrote: > On Sun, 13 Jun 2010 07:44:26 +0100, Jason McIntyre wrote: > > >On Sun, Jun 13, 2010 at 12:36:52PM +1000, Rod Whitworth wrote: > >> The rule: > >> pass in on $int_if inet proto tcp to any port ftp \ > >> rdr-to 127.0.0.1 port 8021 > >> > >> in the example ruleset on http://www.openbsd.org/faq/pf/example1.html > >> does not work for active ftp from NATted hosts. > >> > >> There are three solutions which all work. > >> > >> A> make it "pass in quick ....." > >> B> move the rule as-is to the end of the file. (Last match wins......) > >> C.> move the rule up to the match rules and change "pass" to "match" > >> > >> Which do you prefer? > >> > > > >if the point of that rule is the same as the point of the rule in > >ftp-proxy(8), then the rule should really match the man page (which uses > >"quick") or vice versa. > > Note that the ftp-proxy manpage does "pass in quick" with no interface > limitation......
So what do you think, maybe 'pass in quick on !egress...' ?
