View Single Post
  #7   (View Single Post)  
Old 9th July 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,965
Default

Thanks. The routing options (route-to, reply-to, dup-to) syntax changed at 4.7.

Your routing option applies to all incoming traffic on em0 destined for the server (192.168.1.200). Either add another standard pass rule without reply-to after this one for your two TCP services, or add a quick pass rule that doesn't use reply-to for those two TCP services before this rule.

Remember, with PF, unless the "quick" option is used, the last matching rule wins. If you use standard pass rules, try something like:
Code:
pass in on em0 reply-to (em0 192.168.1.1) to 192.168.1.200 keep state
pass in on em0 proto tcp from any to 192.168.1.200 port {21 80}
The first rule matches all incoming traffic, the second rule without reply-to matches your two services, and "wins" for that traffic.

You may also need to adjust rules for your FTP data connections, depending on whether passive or active FTP is used and the type of FTP proxy deployed, if any.

----
Edited to add: keep state became the default at 4.1.
Reply With Quote