Hello, I have FTP clients behind my Openbsd firewall and they want to access ftp sites on the internet
I have read numerous documentations but haven't found the answer yet. * I start the ftp-proxy like this /usr/sbin/ftp-proxy -D7 -v * I have rules in my pf.conf anchor "ftp-proxy/*" pass in quick on $int_if inet proto tcp from $lan to any port 21 divert-to 127.0.0.1 port 8021 pass out quick on $ext_if inet proto tcp from $ext_add to any port 21 I filter both interfaces lan and wan on my firewall I'm able to connect to a ftp server from inside the lan but when I do the command ls it fails Of course, this is normal because there is no rule that allow the ftp data (passive) to go out and the packets are dropped when they try to go out of the firewall's external interface. Oct 28 08:21:00.471990 rule 0/(match) block out on vmx0: 37.187.79.88.56327 > x.x.x.x.39046: S 1161913180:1161913180(0) win 16384 <mss 1440,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 700905107[|tcp]> * My question The ftp data channel connects to an unknown server and an unknown port. I don't want to open a large range of ports on my external firewall's interface. How can I only allow a specific set of outgoing port when the connection is initiated by the ftp-proxy only ?