[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rdr on firewall initiated connections

Jon Hart wrote:

In trying to diagnose a problem with ftp-proxy, I stumbled upon
something with pf's rdr that I cannot explain.

Assume a simple firewall ruleset. I had the following rdr line:

   rdr pass on $ext_if proto tcp from any to any \
   port 21 -> port 2121

That line, along with the other lines from the ftp-proxy examples in
pf.conf(5) and ftp-proxy(8), makes outbound ftp from LAN clients get
redirected to the local ftp-proxy as expected.  However, outbound ftp

I kinda doubt that. rdr is only applicable to packets on ingress. Your rdr rule should be applied to your LAN interface, not your Internet interface.

My question is, is this the expected behavior, and is there any way
I get the results I had hoped?

Use passive ftp? (which ftp(1) defaults to anyways)