On 2010/03/12 10:14, Vadim Zhukov wrote: > On 12 March 2010 ?. 03:23:00 Stuart Henderson wrote: > > On 2010-03-11, Christopher Zimmermann <madro...@zakweb.de> wrote: > > > Hi, > > > > > > my -current firewall is configured to block all in, block all out > > > and allow only certain outbound connections. > > > > > > Now I want to allow outbound ftp connections. > > > > > > I read ftp-proxy(8) and > > > http://openbsd.org/faq/pf/ftp.html#client. > > > > > > As I understand it, ftp-proxy could be used to create rules for > > > inbound and outbound connections on 4.6. Now on -current the rdr > > > keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) > > > suggests using rdr-to, but this only works for inbound > > > connections. > > > > > > Is it possible to allow ftp connections from a local client to > > > public ftp serves on the internet? Possibly by using ftp-proxy? > > > > I suspect your understanding of "inbound" is from the viewpoint > > of your network; PF doesn't care about that at all, it's only > > concerned with whether a packet is inbound or outbound to a > > particular interface. > > > > rdr only works for inbound connections too. > > > > A rule like the following works just fine for a ftp connection > > from a local client to a public ftp server: > > > > pass in quick log on {lan, wifi, natted} inet proto tcp \ > > to port 21 rdr-to 127.0.0.1 > > Well, if "block out all" is set on external interface then ftp-proxy > outgoing connections will be blocked - ftp-proxy(8) does not create PF > rules for connections itself. Something like
True, I was just considering the differences from 4.6. > pass out on $ext_if from ($ext_if) to port ftp > > will workaround this, but I think ftp-proxy(8) should be fixed instead... hmm, that used to be there... what do you think, does this make sense? Index: ftp-proxy.8 =================================================================== RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v retrieving revision 1.14 diff -u -p -r1.14 ftp-proxy.8 --- ftp-proxy.8 21 Nov 2009 13:59:31 -0000 1.14 +++ ftp-proxy.8 12 Mar 2010 07:41:10 -0000 @@ -170,6 +170,7 @@ Adjust the rules as needed. .Bd -literal -offset 2n anchor "ftp-proxy/*" pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 +pass out on egress proto tcp from (self) to port 21 user proxy .Ed .Sh SEE ALSO .Xr ftp 1 ,
