[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF Ruleset Problem for Active/Passive FTP

Hi, I've read http://www.openbsd.org/faq/pf/ftp.html about what to do
to allow ftp through the pf firewall, and have tried that but I still
am having problems. I would like to be able to have rules that support
both active and passive ftp. On my internal network there are
different operating systems with different ftp clients. By the way I'm
using OpenBSD 3.6 and my firewall provides NAT to the internal
Here's what I have in my inetd.conf:  stream  tcp     nowait  root    /usr/libexec/ftp-proxy
 ftp-proxy -n
Here's some of what I have in my pf.conf:
ext_if          = "fxp0"
int_if          = "sis0"
network         = ""
nat_protocols   = "{ icmp, tcp, udp }"
proto_options   = "modulate state"
tcpsrv_options  = "flags S/SA"
tcp_ports       = "{ 21, 22, 25, 53, 80, 110, 443, 5190, 5999 }"
# nat private network to single routable address
nat on $ext_if inet proto $nat_protocols from $network to any -> ($ext_if)
# ftp-proxy redirection
rdr on $int_if inet proto tcp from any to any port 21 -> port 8021
pass in on $ext_if inet proto tcp from port 20 to $ext_if \
        user proxy flags S/SA keep state
pass out on $ext_if inet proto tcp from $ext_if to any \
        port $tcp_ports $tcpsrv_options $proto_options
How can I write rules that will support both active and passive ftp
that will allow my internal machines to connect to external ftp sites.
Let me know what is wrong with what I have. Thanks.