If I understood your environment, you have an FTP server on your LAN that you would like to expose to the Internet at address 50.x.x.x. It's internal address is 192.168.0.101.
If that is correct, I recommend the following:
- On your 192.168.0.101 platform, configure your FTP server to accept standard passive FTP traffic. The server should listen on TCP port 21.
- On your firewall, configure your ftp-proxy server with the following flags: "-R 192.168.0.101 -p 21 -b 50.x.x.x"
- The -R option sets the proxy in reverse mode, to support a server through NAT rather than clients. The address listed is the address of the server on your private LAN.
- The -p option instructs the ftp-proxy to listen on port 21, as it will act as the FTP server to clients on the Internet.
- The -b option instructs the proxy to listen to this external address. In my test, I selected one of the alias addresses I'd assigned to the firewall's Internet facing NIC.
- No port redirection rules are needed in PF to support this traffic. The ftp-proxy application listens to an address on the external NIC port 21 and routes that traffic through to the FTP server's port 21.
- The following rules are needed to pass this traffic:
Code:
anchor "ftp-proxy/*"
pass in on $ext_if proto tcp to 50.x.x.x port 21
pass out on $int_if proto tcp to 192.168.0.101 port 21 user proxy
Redirection via
divert-to is needed to support clients behind the firewall, not the servers.