On 2011-10-14, Sevan / Venture37 <ventur...@gmail.com> wrote: > If you see this error message in /var/log/messages when trying a > snapshot & are unable to connect to ftp servers, check your PF config > file. > > Taking the complete ruleset from the PF FAQ, the rule > pass in quick on $int_if inet proto tcp to any port ftp rdr-to > 127.0.0.1 port 8021 > needs to change to > pass in quick on $int_if inet proto tcp to any port ftp divert-to > 127.0.0.1 port 8021 > > See the configuration section of ftp-proxy(8)
Thanks - the faq is for the latest release i.e. 4.9, but yes this will need updating for 5.0. Nick, do you want to add this to your tree? I haven't touched on inet6 as we don't have a very good solution for that yet (it works fine, but you need to run a second copy of ftp-proxy from rc.local..) Index: example1.html =================================================================== RCS file: /cvs/www/faq/pf/example1.html,v retrieving revision 1.46 diff -u -p -r1.46 example1.html --- example1.html 1 May 2011 12:57:11 -0000 1.46 +++ example1.html 14 Oct 2011 08:11:35 -0000 @@ -223,15 +223,15 @@ anchor "ftp-proxy/*" </pre></blockquote> <p> -Now we will add the rule needed to redirect FTP connections so +Now we will add the rule needed to divert FTP connections so they are seen by ftp-proxy(8): <blockquote><pre> pass in quick on $int_if inet proto tcp to any port ftp \ - rdr-to 127.0.0.1 port 8021 + divert-to 127.0.0.1 port 8021 </pre></blockquote> <p> -This rule will intercept FTP connections to port 21 and redirect them +This rule will intercept FTP connections to port 21 and divert them to an ftp-proxy(8) instance running on port 8021 and, through the use of the <tt>quick</tt> keyword, matching packets will not be further checked against the rest of the ruleset. @@ -242,7 +242,7 @@ list should be used to specify the desti <p> Note that both the <a href="anchors.html">anchor</a> and the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8&manpath=OpenBSD+4.9"; ->ftp-proxy(8)</a> redirect rule need to be located before any +>ftp-proxy(8)</a> divert rule need to be located before any <tt>match</tt> rules for NAT or the ftp-proxy(8) will not work as expected. @@ -412,7 +412,7 @@ set skip on lo anchor "ftp-proxy/*" pass in quick on $int_if inet proto tcp to any port ftp \ - rdr-to 127.0.0.1 port 8021 + divert-to 127.0.0.1 port 8021 # match rules Index: ftp.html =================================================================== RCS file: /cvs/www/faq/pf/ftp.html,v retrieving revision 1.33 diff -u -p -r1.33 ftp.html --- ftp.html 1 May 2011 12:57:11 -0000 1.33 +++ ftp.html 14 Oct 2011 08:11:35 -0000 @@ -108,7 +108,7 @@ As indicated earlier, FTP does not go th <p> -Packet Filter provides a solution for this situation by redirecting FTP +Packet Filter provides a solution for this situation by diverting FTP traffic through an FTP proxy server. This process acts to "guide" your FTP traffic through the NAT gateway/firewall, by actively adding needed rules to PF system and removing them when done, by means of the PF @@ -123,12 +123,12 @@ of <tt>pf.conf</tt>: <blockquote> <tt> -pass in quick on $int_if proto tcp to port 21 rdr-to 127.0.0.1 port 8021 +pass in quick on $int_if inet proto tcp to port 21 divert-to 127.0.0.1 port 8021 </tt> </blockquote> <p> -This redirects FTP from your clients to the ftp-proxy(8) program, +This diverts FTP from your clients to the ftp-proxy(8) program, which is listening on your machine to port 8021. <p> @@ -155,7 +155,7 @@ The ftp-proxy program can be started as reboot. <p> -ftp-proxy listens on port 8021, the same port the above <tt>rdr-to</tt> +ftp-proxy listens on port 8021, the same port the above <tt>divert-to</tt> statement is sending FTP traffic to. <p> @@ -273,8 +273,8 @@ the <a href="#client">FTP Client Behind <tt> match out on $ext_if from $int_if nat-to ($ext_if)<br> anchor "tftp-proxy/*"<br> -pass in quick on $int_if proto udp from $int_if to port tftp \<br> - rdr-to 127.0.0.1 port 6969<br> +pass in quick on $int_if inet proto udp from $int_if to port tftp \<br> + divert-to 127.0.0.1 port 6969<br> <br> anchor "tftp-proxy/*" </tt> @@ -288,7 +288,7 @@ servers on the external network. The last step is to enable tftp-proxy in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=inetd.conf&sektion=5"; >inetd.conf(5)</a> so that it listens on the same port that the -<tt>rdr-to</tt> rule specified above, in this case 6969. +<tt>divert-to</tt> rule specified above, in this case 6969. <blockquote> <tt>
