On Sun, 13 Jun 2010 10:48:49 +0100, Stuart Henderson wrote: >On 2010/06/13 17:31, Rod Whitworth wrote: >> On Sun, 13 Jun 2010 07:44:26 +0100, Jason McIntyre wrote: >> >> >On Sun, Jun 13, 2010 at 12:36:52PM +1000, Rod Whitworth wrote: >> >> The rule: >> >> pass in on $int_if inet proto tcp to any port ftp \ >> >> rdr-to 127.0.0.1 port 8021 >> >> >> >> in the example ruleset on http://www.openbsd.org/faq/pf/example1.html >> >> does not work for active ftp from NATted hosts. >> >> >> >> There are three solutions which all work. >> >> >> >> A> make it "pass in quick ....." >> >> B> move the rule as-is to the end of the file. (Last match wins......) >> >> C.> move the rule up to the match rules and change "pass" to "match" >> >> >> >> Which do you prefer? >> >> >> > >> >if the point of that rule is the same as the point of the rule in >> >ftp-proxy(8), then the rule should really match the man page (which uses >> >"quick") or vice versa. >> >> Note that the ftp-proxy manpage does "pass in quick" with no interface >> limitation...... > >So what do you think, maybe 'pass in quick on !egress...' ? >
Hmmm, now that I'm getting the hang of match, and it gets a lot of exposure in man pf.conf, I'm half inclined to change both the example ruleset AND ftp-proxy manpage to accept the spirit of the pf.conf descriptions. Particularly because it is another example of match usage that clarifies the pf.conf docs. The more examples the better, as long as they all do individual tasks. Of course you guys decide. /R/ *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
