On 08/20/2012 04:43 PM, lilit-aibolit wrote:
I have internal ftp-server. To give access for it from Internet I use ftp-proxy:ftpproxy_flags="-R ftp_server -p 21 -b ext_ip" and rules: anchor "ftp-proxy/*" pass in on $ext_if inet proto tcp from any to (em1) port ftp pass out on $int_if inet proto tcp from any to <ftp_server> port ftp user proxy and this work. But I need to give access to external ftp-servers from my lan. I use rules: match out on $ext_if inet proto tcp from <lan> to any nat-to (em1) pass in on $int_if inet proto tcp from <lan> to any port { ftp, >49151 } pass out on $ext_if inet proto tcp from (em1) to any port { ftp, >49151 } and it not work from lan:
<snip>
what is wrong with my config? thanks.
You need to start ftp-proxy twice. One to redirect the external clients to the internal server and another one for the internal clients.
And of course you also need to redirect the internal client to the second instance of ftp-proxy.
Something like this should work: rc.conf.local (for internal clients): ftpproxy_flags="" rc.local (for external clients): /usr/sbin/ftp-proxy -R <internal ip of server> -p 21 -b <external ip> And make sure you have something like this in your pf.conf: pass in on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 Maurice
