On Thu, 11 May 2006, [EMAIL PROTECTED] wrote: > > pass in on $ext_if inet proto tcp from any \ > > to $ext_if port 55000 >< 57000 user proxy \ > > flags S/SA keep state > > C>You don't need this anymore. > > Ah, okay, how come i don't need this anymore, i must be missing and not > understanding the matters properly.
You don't need it, because the proxy takes care of _all_ data connections itself now, using the anchors. Your only job is to pass the control (port 21) connections, ftp-proxy takes care of the rest. > C>Since you know about the anchors and therefore that ftp-proxy has > C>changed > C>I must ask: which documentation did you follow and what was unclear? > C>Maybe that needs fixing. > > The page that triggered me was this one: > > http://www.openbsd.org/39.html > "ftp-proxy has been rewritten, and a tftp version, tftp-proxy, has been > added" > > Then i clicked to this link: > > http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxy&sektion=8 > The man page of ftp-proxy. That was the right thing to do. > Unclear from the man page was that i don't need the pass in's anymore as > you mentioned before, i still don't understand why. That should have become clear after the reading the DESCRIPTION section of the man page. Can you read that again and tell me what might be clarified? > I also clicked on the pf.conf man page: > http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current > > > In the anchor section i saw this: > > ext_if = "kue0" > block on $ext_if all > anchor spam > pass out on $ext_if all keep state > pass in on $ext_if proto tcp from any \ > to $ext_if port smtp keep state > > Okay, but then, which rules fall under the anchor section spam and which > don't, it would be more clear like this: > > ext_if = "kue0" > block on $ext_if all > anchor spam { > pass out on $ext_if all keep state > pass in on $ext_if proto tcp from any \ > to $ext_if port smtp keep state } > > That way i'd know that both two pass rules belongs to the anchor spam, but > in the example i cannot conclude that. No, those last two rules are not loaded into the anchor, you got that wrong. Loading rules into an anchor can be done with the pfctl -a switch, or with the "load anchor" statement in pf.conf. The ANCHORS section in pf.conf(4) should make it clear. > This longer example uses both a NAT and a redirection. The external > in-terface has the address 157.161.48.183. On localhost, we are running > ftp-proxy(8), waiting for FTP sessions to be redirected to it. The three > mandatory anchors for ftp-proxy(8) are omitted from this example; see the > ftp-proxy(8) manpage." > > Forgive the layout, i know it's a mess > Here the three mandatory anchors are also mentioned, but i thought that the > examples would lead to an error in my case because with the last anchor i > would have no pass rule like this from the ftp-proxy man page: Ok, pf.conf redirected you to ftp-proxy(8) again, which is good. > "anchor "ftp-proxy/*" > pass out proto tcp from $proxy to any port 21 keep state" > > I thought that with an anchor i would also need a rule attached to it. Nope, as explained above, that's not how anchors work. I think the only thing you missed that might have made things easier was the upgrade document for 3.9 which Nick already pointed out: http://www.openbsd.org/faq/upgrade39.html But I think it's reasonable to expect people to read it, as it is referenced from the release announcement. -- Cam
