On Sat, 17 Mar 2007, Sebastian Reitenbach wrote: > I use ftp-proxy on my firewall as a reverse proxy for a host on the dmz. The > incoming connections come in on one of the the external interfaces, which is > not the default gateway of the firewall. Therefore I use reply-to statements > on the pass in rules to make sure the answer packets are leaving the > firewall via this interface. The packets are redirected to the locally > running ftp-proxy. The control connection works fine for passive and active > ftp, but the data connection leaves the network on the wrong external > interface, following the default route, ignoring the reply-to statement when > they come in.
ftp-proxy does not add route-to and reply-to to the rules it adds to the anchors to allow the data connections, so those will always be routed "normally". I once did some preliminary work on it though, after which Bill Marquette picked it up. Those patches are here: http://pfsense.com/cgi-bin/cvsweb.cgi/tools/pfPorts/pftpx-routeto/files/ (ftp-proxy used to be called pftpx) I'm not too fond of reply-to / route-to to be honest, so I never merged this into ftp-proxy proper. -- Cam