From owner-freebsd-pf@FreeBSD.ORG Fri Mar 24 15:43:12 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E500C16A44C for ; Fri, 24 Mar 2006 15:43:12 +0000 (UTC) (envelope-from chris@disentropy.com) Received: from mail.disentropy.net (mail.disentropy.net [65.160.167.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 179E743D48 for ; Fri, 24 Mar 2006 15:43:11 +0000 (GMT) (envelope-from chris@disentropy.com) Received: (qmail 81222 invoked by uid 90); 24 Mar 2006 15:43:38 -0000 Received: from unknown (HELO VPR0234) (chris@disentropy.com@128.255.242.176) by mail.disentropy.net with SMTP; 24 Mar 2006 15:43:38 -0000 From: "manjoine" To: Date: Fri, 24 Mar 2006 09:43:07 -0600 Message-ID: <005201c64f59$a628c050$b0f2ff80@iowa.uiowa.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Thread-Index: AcZPTR+69QID2pnLRSSm7hvHkHY5ZAABkQ0w In-Reply-To: Subject: Pftpx for incoming ftp connections FTP Server INSIDE the firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Mar 2006 15:43:13 -0000 I am trying to use pftpx to solve the "strict" ftp clients (clients that want data connections to the same IP as the control connection) issue on a FTP Server INSIDE the firewall I found out that I can't use port redirects on all my external IPS since the FTP Clients have IP Strictness It is the classic Passive FTP problem. I have a firewall in front of an ftp server. I have multiple Ips bound to the Firewall that need to goto the same FTP server (thus the IP issue with strictness) SO I want a pf.conf that will allow me to allow all incoming PASSIVE and ACTIVE FTP connections to any of the Ips to goto the one FTP server I assume that I can use pftpx to proxy all incoming connections? I found only this reference to a possible solution, but I cant seem to get it to work in my pf.conf http://wiki.pfsense.com/wikka.php?wakka=IncomingFTPHowToCan anyone give me an example of how that would be done? Below is a trimmed down version of my pf.conf with the rules for outbound pftpx which is working great but in need imbound. int_if=fpx0 ext_if=fxp1 int_net="192.168.0.0/24" ext_net="{232.333.333.2,232.333.333.3,232.333.333.4}" #FTP out from int_net nat-anchor "pftpx/*" rdr-anchor "pftpx/*" rdr pass on $int_if proto tcp from $int_net to any port 21 -> 127.0.0.1 port 8021 #In the rule section: anchor "pftpx/*"