Quote:
Originally Posted by ijk
Code:
pass out on $ext_if proto tcp from $ext_if to any port { 21 , 20 }
yes have been reading about active and passive ftp. but the rules i need are still problematic
I am already letting out traffic with the above rule. Why do i need to let out all traffic from any port with the below rule. is not this insecure. |
pass out proto tcp from self to any keep state
for pasv ftp tx the above rule will allow your ftp client to establish a data connection to the ftp server on an ephemeral port (> 1023) on the server.
anyway, ftp-proxy maybe a better option.