Depending on the clients software, but you should be able to use Passive
mode.

man 1 ftp:

-p          Enable passive mode operation for use behind connection filtering
firewalls.  This option has been deprecated as ftp now tries to use passive
                 mode by default, falling back to active mode if the server
does not support passive connections.

> On 28 okt. 2016, at 08:55, Mik J <mikyde...@yahoo.fr> wrote:
>
> Hello,
>
> I have FTP clients behind my Openbsd firewall and they want to access ftp
sites on the internet
>
> I have read numerous documentations but haven't found the answer yet.
>
> * I start the ftp-proxy like this
> /usr/sbin/ftp-proxy -D7 -v
>
> * I have rules in my pf.conf
> anchor "ftp-proxy/*"
> pass in quick on $int_if inet proto tcp from $lan to any port 21 divert-to
127.0.0.1 port 8021
> pass out quick on $ext_if inet proto tcp from $ext_add to any port 21
>
> I filter both interfaces lan and wan on my firewall
>
> I'm able to connect to a ftp server from inside the lan but when I do the
command ls it fails
> Of course, this is normal because there is no rule that allow the ftp data
(passive) to go out and the packets are dropped when they try to go out of the
firewall's external interface.
> Oct 28 08:21:00.471990 rule 0/(match) block out on vmx0: 37.187.79.88.56327
> x.x.x.x.39046: S 1161913180:1161913180(0) win 16384 <mss
1440,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 700905107[|tcp]>
>
>
> * My question
> The ftp data channel connects to an unknown server and an unknown port. I
don't want to open a large range of ports on my external firewall's
interface.
> How can I only allow a specific set of outgoing port when the connection is
initiated by the ftp-proxy only ?

Reply via email to