From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 17:51:11 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 594AA16A4CE for ; Sun, 19 Dec 2004 17:51:11 +0000 (GMT) Received: from ms-smtp-02-eri0.ohiordc.rr.com (ms-smtp-02-smtplb.ohiordc.rr.com [65.24.5.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A9F543D4C for ; Sun, 19 Dec 2004 17:51:11 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (dhcp065-031-041-029.woh.rr.com [65.31.41.29]) iBJHp8Jl002692 for ; Sun, 19 Dec 2004 12:51:08 -0500 (EST) Message-ID: <001301c4e5f3$2d5e87c0$0400a8c0@satellite> From: "dave" To: Date: Sun, 19 Dec 2004 12:50:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: pf and ftp client X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dave List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 17:51:11 -0000 Hello, I've got a 5.3 box running pf. I want to use it as an ftp client, it's already going through a nat firewall. My problem is when i try to download a port via make install and any ftp url is referenced the site can not be contacted. I'm not sure which mode this is using active or passive. This machine has only one nic in it. I have included my relevant ftp pf rules below. Any help appreciated. Thanks. pf.conf: # options set loginterface none set optimization normal set block-policy drop scrub in on $ext_if all scrub out all random-id max-mss 1440 # nat ftp-proxy rdr on $ext_if proto tcp from any to any port 21 -> $ext_addr port 8021 # activate spoofing protection for the internal interface. antispoof quick for $ext_if inet # allow active ftp, passive is handled # by the ftp-proxy and the nat rdr rule pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state # allow out ftp pass out quick on $ext_if proto tcp from any to any port = 21 flags S/SA modulate state