I'm currently working on locking down one of my machines with pf. Right now it has a default deny policy and FTP is causing issues. I did a search on how to around FTP oddities using ftp-proxy, but from what I understand this requires an internal interface to work, which this system doesn't have since it's behind a netgear router.
Is there something like ftp-proxy for external interface only setups that uses anchors to rewrite rules on the fly? Another option I thought of is making a wrapper script around ftp or whatever the command line client was that would take in the hostname as the first argument, and the rest of the arguments would be passed to whatever the client was. The first call to the script would use pfctl to add the server to a table, which would then have a lenient ruleset for any FTP server in that table. Once the command is done running, pfctl would remove that server from the table. I'm wondering if this would be a good idea. PS: Yes, I plan to setup an OpenBSD router at some point so this doesn't become an issue. Unfortunately I'm saving up for something at the moment, so even a cheap router off Ebay is out of the question right now :) - Onteria
