Hi, You (Axel S. Gruner) wrote: > Client -> GW -> NAT-Server -> FW -> Internet -> customer
FW = packet filter without NAT? Does the NAT-Server do some magic to allow actice ftp sessions? Does ftp active works without pf on the fw box (fw box = router)? If not maybe here is your problem... I'll give you my configuration, maybe it helps: LAN (official ips) ---- pf GW without NAT --- Internet /etc/inetd.conf ----------------- ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180 /etc/rc.conf -------------- inetd_enable="YES" pf.conf, parts of ftp section ------------------------------ # default deny block all # local loopback traffic pass quick on lo0 all # redirect ftp to local proxy rdr on $intern_if proto tcp from $intern_net to any port 21 -> 127.0.0.1 port 8021 # ftp for all pass log quick proto tcp from <protected_lans> to 127.0.0.1 port 8021 keep state block in log quick proto tcp from !<protected_lans> to 127.0.0.1 port 8021 pass out log quick proto tcp from <host_firewall> to <protected_lans> port > 1023 keep state # Allow remote FTP servers (on data port 20) to respond to the proxy's # active ftp # to internet pass in log quick on $extern_if proto tcp from any port 20 to $extern_if port 55000 >< 57000 flags S/SA keep state pass out log quick on $extern_if proto tcp from $extern_if to any port {20,21} flags S/AUPRFS modulate state pass out log quick on $extern_if proto tcp from $extern_if port 55000 >< 57000 to any flags S/SAFR keep state > I did the stuff with the ftp-proxy and active ftp connection like > described in: http://www.openbsd.org/faq/pf/ftp.html I assume you are german... see also http://www.warp9.de/downloads/pf-ftp.pdf > So, where could be the problem? Does telnet 127.0.0.1 8021 works? bye, Andy
pgpPyPdi8zGCi.pgp
Description: PGP signature