Re: no NAT, ftp-proxy, & passive FTP

["Peter H. Coffin" <hellsop@ninehells.com>]

On Fri, Sep 12, 2003 at 11:24:04AM -0500, Chris Wage wrote:
> Because pf redirects packets outgoing on port 21 to localhost on port
> 8021
> 
> Subsequent Passive data requests come from the originating host (behind
> the firewall) on an arbitrary higher source port destined for the FTP
> server on an arbitrary higher port. There's no way to catch this that I
> am aware of.

Ah. And there is therefore a problem with the -n option, which turns off
proxying of the PASV data requests, yes?

  -n      Activate network address translation mode.  In this mode, the
          proxy will not attempt to proxy passive mode (PASV or EPSV) data
          connections.  In order for this to work, the machine running the
          proxy will need to be forwarding packets and doing network ad-
          dress translation to allow the outbound passive connections from
          the client to reach the server.  See pf.conf(5) for more details
          on nat.  The proxy only ignores passive mode data connections
          when using this flag, it will still proxy PORT and EPRT mode data

Since your machine is doing the pf, and running the proxy (as well as
the ftp server, but that is not mentioned as a requirement), this looks
like it should be doing the job you're asking for.

-- 
"Friendship is born at that moment when one person says to another, 'What!  
You too?  I thought I was the only one!'"
                --C.S. Lewis