From owner-freebsd-pf@FreeBSD.ORG Thu Jul 7 19:47:41 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8385B16A41C for ; Thu, 7 Jul 2005 19:47:41 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (p15110767.pureserver.info [217.160.166.159]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35FE843D5F for ; Thu, 7 Jul 2005 19:47:35 +0000 (GMT) (envelope-from michael@weiser.dinsnail.net) Received: from heinz.dinsnail.net (heinz.dinsnail.net [127.0.0.1]) by heinz.dinsnail.net (8.13.4/8.13.4) with ESMTP id j67JlRlP027277; Thu, 7 Jul 2005 21:47:27 +0200 Received: from khazad-dum.weiser.dinsnail.net (uucp@localhost) by heinz.dinsnail.net (8.13.4/8.13.4/Submit) with bsmtp id j67JlRVt027276; Thu, 7 Jul 2005 21:47:27 +0200 Received: from khazad-dum.weiser.dinsnail.net (localhost [127.0.0.1]) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4) with ESMTP id j67JibNf002466; Thu, 7 Jul 2005 21:44:37 +0200 (CEST) (envelope-from michael@khazad-dum.weiser.dinsnail.net) Received: (from michael@localhost) by khazad-dum.weiser.dinsnail.net (8.13.4/8.13.4/Submit) id j67JibaR002465; Thu, 7 Jul 2005 21:44:37 +0200 (CEST) (envelope-from michael) Date: Thu, 7 Jul 2005 21:44:36 +0200 From: Michael Weiser To: Scott Ullrich Message-ID: <20050707194436.GD57981@weiser.dinsnail.net> References: <20050707182023.GB57981@weiser.dinsnail.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-MailScanner: Found to be clean X-MailScanner-From: michael@weiser.dinsnail.net Cc: freebsd-pf@freebsd.org Subject: Re: ftp connections not working from firewall box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2005 19:47:41 -0000 On Thu, Jul 07, 2005 at 02:37:25PM -0400, Scott Ullrich wrote: > > another problem with my new pftpx setup is that because of > > > > rdr on xl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 > > > > only connections coming in via the internal interface get redirected to > > pftpx. Due to that FTP connections originating on the machine itself > > don't work because they leave directly via the external interface so that > > pftpx doesn't see them to add the proper firewall rules. > > > > Is there a workaround or proper solution for this (possibly including a > > rant about my braindamage ;) ? > If you default to deny on the WAN what happens if you change the rdr > statement to: > rdr inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 No change. My understanding is, that rdr only works for incoming packets. This would explain why the above doesn't work. Because packets originating on the local machine directly go out via xl1 they are not picked up by rdr because they're outgoing already, not incoming. Is that understanding correct or am I missing something? One possible workaround might be to have applications that support it use the IP of the internal interface as source address so that the packets appear as incoming on that interface and get redirected to xpftp. But squid for example doesn't support it and when I tried with wget --bind-address just now it didn't work. -- bye, Micha