Re: pf, ftp-proxy, default deny, 421 Service not avaiable

[Craig Skinner <craig@openpost.org>]

Craig Skinner wrote:
> Chris Zakelj wrote:
> 
>> I see you're only passing ports >1023.  Passive FTP uses those for the 
>> data connections, but you still need to allow port outbound port 21 
>> access.  That's the control connection.

Do you mean outbound from port 21 to port 21? That would be weird for a 
client.


Redirect to proxy:-

rdr pass on $int_if inet proto tcp from $int_fw port > 1023 \
         to port ftp -> 127.0.0.1 port 8021


I allow out from high ports to 21 & high ports:-

pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
         to any port ftp modulate state
pass out log on $ext_if inet proto tcp from ($ext_if) port > 1023 \
         to any port > 1023 modulate state


And allow in to 21 & high ports:-

pass in log on $int_if inet proto tcp from $int_fw port > 1023 \
         to any port ftp modulate state
pass in log on $int_if inet proto tcp from $int_fw port > 1023 \
         to any port > 1023 modulate state


Surely that should do it?