Your pf.conf differs from examples in the faq. I would suggest turn logging on in pf, and do:
tcpdump -n -e -ttt -i pflog0 Then you can see why it's failing. On Thu, Apr 04, 2013 at 09:38:57AM +1100, John Tate wrote: > I've got a gateway computer I also I want to be an ftp server. I've put > everything through pf as per http://openbsd.org/faq/pf/ftp.html > > Can anyone see something I've missed in this config? I can't access it > remotely. > > # grep -v -e ^# -e ^$ /etc/vsftpd.conf > anonymous_enable=NO > local_enable=YES > dirmessage_enable=YES > xferlog_enable=YES > connect_from_port_20=YES > nopriv_user=_vsftpd > ftpd_banner=Welcome to Kintaro's home. Where the downstream is small but > the system enourmous. > chroot_list_enable=YES > chroot_list_file=/etc/ftpchroot > userlist_enable=YES > userlist_file=/etc/ftpusers > secure_chroot_dir=/var/vsftpd > pasv_min_port=49152 > pasv_max_port=65535 > text_userdb_names=YES > listen=YES > background=YES > log_ftp_protocol=YES > xferlog_enable=YES > pasv_enable=YES > pasv_min_port=49151 > pasv_max_port=65535 > > # grep -v -e ^# -e ^$ /etc/pf.conf > > int_if="fxp0" > ext_if="pppoe0" > murphy="10.0.0.2" > fekete="10.0.0.3" > murphy_ports = "{ 8333 }" > fekete_ports = "{ 17001, 39191, 5938 }" > tcp_services="{ 22 }" > icmp_types="echoreq" > set skip on lo > anchor "ftp-proxy/*" > pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 > match out on egress inet from !(egress:network) to any nat-to (egress:0) > pass # to establish keep-state > block in on ! lo0 proto tcp to port 6000:6010 > block in log > pass out quick > antispoof quick for { lo $int_if } > pass in on egress inet proto tcp from any to (egress) \ > port $tcp_services > pass in on $ext_if proto tcp to port 21 > pass in on $ext_if proto tcp to port > 49151 > pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to > $murphy > pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to > $fekete > pass in inet proto icmp all icmp-type $icmp_types > pass in on $int_if > > > -- > www.johntate.org
