PF with ftp-proxy

Jason C. Wells jcw at
Tue Jun 24 06:11:26 UTC 2008

I am running pf with ftp-proxy and nat on 6.3-RELEASE.  I am using the 
docs on the openbsd faq.  The fine manual is not serving me well this 
evening.  When attempting ftp connections firefox reports a variety of 
errors like "Bad IP" or "Passive connection must come from same host as 
control connection."

 From inetd.conf:

ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -t 180 

 From pf.conf:

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from any to any port ftp -> $localhost
port ftp-proxy
pass in all
pass out all

Inetd is spawning the ftp-proxy process when I attempt client access to  This seems to be working correctly.

ftp-proxy -D is not producing any log output in /var/log/messages. How 
can that be?

But even more mysteriously, as I typed this message I fired up tcpdump 
to try and figure things out.  I then attempted to connect to and succeeded.  I have changed no firewall rules during 
the time that I have been writing this message. Then I did a refresh in 
firefox and the ftp session failed.  Double WTF? How on earth can the 
firewall work one second and then not work the next?

One thing I miss in the documentation.  Does ftp-proxy inject rules into 
pf using the ftp-proxy anchors?

I realize my message is poorly written. I'm pretty confused right now. 
I'm not really sure what to ask to figure this out.  I've followed the 
very simple docs.  I can't imagine what I have missed.


More information about the freebsd-pf mailing list