Son of a....
Thanks Camiel. I changed $proxy_addr to $lan_if and it started working.
-- Steve
Camiel Dobbelaar wrote:
On Tue, 10 Apr 2007, Steve Mertz wrote:
I'm trying to setup a firewall that allows FTP in to a server that is NATd on
the other side. But that only allows access from one address outside the
firewall.
Something like:
Machine -> Internet -> Firewall/NAT -> FTP server
I realize I need to use ftp-proxy to get through the NAT part of the firewall,
but I'm not having much luck with it so far.
Here is what I have:
/usr/sbin/ftp-proxy -R 10.10.11.10
pf.conf:
$dev_addr = machine that has access to ftp to this server.
$proxy_addr = "127.0.0.1"
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $wan_if proto tcp from $dev_addr to $wan_if port ftp ->
$proxy_addr port 8021
block in all
block out all
anchor "ftp-proxy/*"
pass in proto tcp from $proxy_addr to any port 21 keep state
This last rule is the problem.
You need to pass _out_ from the firewall, and not using the
127.0.0.1 address, but the address that the kernel will pick for the
connection to the server (10.10.11.1?).
Or you can try this:
pass out proto tcp from any to port 21 keep state user proxy
--
Cam
