View Single Post
  #2   (View Single Post)  
Old 24th December 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

ftp-proxy will only work for clients who connect through the machine:
  • incoming ftp traffic entering on the external interface
    For example when you run a ftp server
  • local lan client ftp traffic entering on the internal interface.

For allowing ftp connections initiated by the ftp-proxy box, itself you have to open port 21 for the ftp command channel. The ftp data channel need ports >1024.

If you don't want to leave such a wide range of ports open you could use a pf 'anchor' to temporarily open this >1024 range. Or you could only open this range for a small selection of ftp servers, for example some of he nearest by OpenBSD ftp mirrors.



I
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote