Date: Thu, 7 Jul 2005 21:44:36 +0200 From: Michael Weiser <michael@weiser.dinsnail.net> To: Scott Ullrich <sullrich@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: ftp connections not working from firewall box Message-ID: <20050707194436.GD57981@weiser.dinsnail.net> In-Reply-To: <d5992baf050707113723ee2327@mail.gmail.com> References: <20050707182023.GB57981@weiser.dinsnail.net> <d5992baf050707113723ee2327@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 07, 2005 at 02:37:25PM -0400, Scott Ullrich wrote: > > another problem with my new pftpx setup is that because of > > > > rdr on xl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 > > > > only connections coming in via the internal interface get redirected to > > pftpx. Due to that FTP connections originating on the machine itself > > don't work because they leave directly via the external interface so that > > pftpx doesn't see them to add the proper firewall rules. > > > > Is there a workaround or proper solution for this (possibly including a > > rant about my braindamage ;) ? > If you default to deny on the WAN what happens if you change the rdr > statement to: > rdr inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 No change. My understanding is, that rdr only works for incoming packets. This would explain why the above doesn't work. Because packets originating on the local machine directly go out via xl1 they are not picked up by rdr because they're outgoing already, not incoming. Is that understanding correct or am I missing something? One possible workaround might be to have applications that support it use the IP of the internal interface as source address so that the packets appear as incoming on that interface and get redirected to xpftp. But squid for example doesn't support it and when I tried with wget --bind-address just now it didn't work. -- bye, Micha
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050707194436.GD57981>