Your new rules do not use the -b option of ftp-proxy, as the PF User's Guide recommended. It is my guess that you will want this set to your external 50.x.x.x
Code:
-b address
Address where the proxy will listen for redirected control
connections. The default is 127.0.0.1, or ::1 in IPv6 mode.
The guide states (highlight mine):
Quote:
Edit /etc/rc.conf.local and add the following:
ftpproxy_flags="-R 10.10.10.1 -p 21 -b 192.168.0.1"
Here 10.10.10.1 is the IP address of the actual FTP server, 21 is the port we want ftp-proxy(8) to listen on, and 192.168.0.1 is the address on the firewall that we want the proxy to bind to.
|
You asked:
Quote:
What I fail to understand is how/why the old gateway works fine but the new settings do not.
|
Your older system was OpenBSD 4.7. As I mentioned above,
at 5.0 ftp-proxy changed. Both your use of the proxy and PF rules should have been revisited, and I'm sorry you mised it. Here's a
link to the section from the 5.0 Upgrade Guide that describes the change, which I have excerpted below for your convenience.
Quote:
PF changes requiring changes to your pf.conf rules
ftp-proxy(8) and tftp-proxy(8) have changed: They now use divert-to instead of rdr-to, which improves performance. Old rules like these:
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on internal proto udp to port tftp rdr-to 127.0.0.1 port 6969
should be replaced with:
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass in quick on internal inet proto udp to port tftp divert-to 127.0.0.1 port 6969
Note that with divert-to, the address family (in this example inet) must be specified explicitly.
|