From owner-freebsd-pf@FreeBSD.ORG Fri Mar 25 09:49:46 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5219F16A52A for ; Fri, 25 Mar 2005 09:49:46 +0000 (GMT) Received: from post1.wesleyan.edu (post1.wesleyan.edu [129.133.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DB1F43D46 for ; Fri, 25 Mar 2005 09:49:43 +0000 (GMT) (envelope-from vsavichev@wesleyan.edu) Received: from pony1.wesleyan.edu (pony1.wesleyan.edu [129.133.6.192]) by post1.wesleyan.edu (8.12.11/8.12.11) with ESMTP id j2P9nfFs013286 for ; Fri, 25 Mar 2005 04:49:41 -0500 Received: from pony1.wesleyan.edu (pony1.wesleyan.edu [127.0.0.1]) by pony1.wesleyan.edu (8.12.11/8.12.11) with ESMTP id j2P9nfG5022916 for ; Fri, 25 Mar 2005 04:49:41 -0500 Received: (from apache@localhost) by pony1.wesleyan.edu (8.12.11/8.12.11/Submit) id j2P9nfUJ022914; Fri, 25 Mar 2005 04:49:41 -0500 Received: from 81.30.200.207 (SquirrelMail authenticated user vsavichev); by webmail.wesleyan.edu with HTTP; Fri, 25 Mar 2005 04:49:41 -0500 (EST) Message-ID: <55087.81.30.200.207.1111744181.squirrel@81.30.200.207> Date: Fri, 25 Mar 2005 04:49:41 -0500 (EST) From: vsavichev@wesleyan.edu To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.3a-0.e3.1 X-Mailer: SquirrelMail/1.4.3a-0.e3.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Wesleyan-MailScanner-Information: Please contact the ISP for more information X-Wesleyan-MailScanner: Found to be clean X-MailScanner-From: vsavichev@wesleyan.edu Subject: transparent proxy ftp mode X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2005 09:49:47 -0000 hi, we have pf and couple of ip aliases on the $ext_if. pf NAT's the connections out in round-robin fasion, pf let's the clients out through statefull rules Recently, we switched to the transparent proxy mode in squid-pf conf pf.conf> rdr on $int_if inet proto tcp from any to {!192.168.0.0/24} port \ { 80, 8080, 8101 } -> 127.0.0.1 port 3128 ok, there is small problem then we try to download someth. in browser from ftp sites, reply is: passive ftp connection must come from same host active control connection does it says, i have to use ftp-proxy as well or should I lock somehow ftp related connects to predefined ip, I'm not sure if i express it correctly. thanks, vlad