ftp connections not working from firewall box
Michael Weiser
michael at weiser.dinsnail.net
Thu Jul 7 19:47:41 GMT 2005
On Thu, Jul 07, 2005 at 02:37:25PM -0400, Scott Ullrich wrote:
> > another problem with my new pftpx setup is that because of
> >
> > rdr on xl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
> >
> > only connections coming in via the internal interface get redirected to
> > pftpx. Due to that FTP connections originating on the machine itself
> > don't work because they leave directly via the external interface so that
> > pftpx doesn't see them to add the proper firewall rules.
> >
> > Is there a workaround or proper solution for this (possibly including a
> > rant about my braindamage ;) ?
> If you default to deny on the WAN what happens if you change the rdr
> statement to:
> rdr inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
No change. My understanding is, that rdr only works for incoming
packets. This would explain why the above doesn't work. Because packets
originating on the local machine directly go out via xl1 they are not
picked up by rdr because they're outgoing already, not incoming.
Is that understanding correct or am I missing something?
One possible workaround might be to have applications that support it
use the IP of the internal interface as source address so that the
packets appear as incoming on that interface and get redirected to
xpftp. But squid for example doesn't support it and when I tried with
wget --bind-address just now it didn't work.
--
bye, Micha
More information about the freebsd-pf
mailing list