Hi list, I use ftp-proxy on my firewall as a reverse proxy for a host on the dmz. The incoming connections come in on one of the the external interfaces, which is not the default gateway of the firewall. Therefore I use reply-to statements on the pass in rules to make sure the answer packets are leaving the firewall via this interface. The packets are redirected to the locally running ftp-proxy. The control connection works fine for passive and active ftp, but the data connection leaves the network on the wrong external interface, following the default route, ignoring the reply-to statement when they come in. I doubt that I have a chance to get it running without exchanging the default route to the interface where the packets are coming in, because the ftp-proxy terminates the data connections on behalf of the client and server, and iirc the reply-to/route-to statements are not working for local connections.
Just another small question, I had tcpdump running on localhost and thought I would see the packets which are redirected to the ftp-proxy, but nothing showed up there, does pf make some short cuts with these redirected packets? Do I can filter these packets on the localhost interface, also if they do not show up there? kind regards Sebastian
