Of course, I do NAT on the pf box, that routes traffic from LAN to the
Internet. The mentioned rdr rule works, so traffic on 21 is redirected
to localhost:8021 ... However, thought the initial control connection
is redirected, the subsequent ones are not. tcpdump output:
pass in on em0: 172.16.3.99.35563 > 127.0.0.1.8021
block in on em0: 172.16.3.99.57611 > 195.135.221.132.46778
Does that mean I have to open all client's outgoing ports to 'any' just
to get passive ftp running? Or do I need a second rule that redirects
subsequent things to ftp-proxy as well?
You have the rdr sending outbound 21 to the ftp-proxy service, but you
also need to let traffic back in to the service:
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep
state
Also, don't forget to enable ftp-proxy in inetd.conf.
cheers,
Matt
