Skip to content

ftpd(8) + PF + ftp-proxy on the same host

Eventually I managed to make ftpd, PF and ftp-proxy work on the same machine with one network interface.

My /etc/rc.conf:

[...]
pf_enable="YES"
pflog_enable="YES"
ftpd_enable="YES" # Enable stand-alone ftpd.
ftpd_flags="-46Dl"
ftpproxy_enable="YES"
ftpproxy_flags="-R 127.0.0.1"
[...]

My /etc/pf.conf:

[...]
#nat section
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $if proto tcp from any to $if port 9021 -> \
127.0.0.1 port 8021
[...]
#rules section
anchor "ftp-proxy/*"
#The ftp-proxy man page suggests to put another rule here: "pass out proto tcp from $proxy to any port 21".
#I don't need it because I'm not proxying clients, but a server (-R option of ftp-proxy).
[...]

My ftpd is running on port 21, but I used 9021 on the rdr pass rule because I want clients to connect to that port instead of the standard 21 (and this is *not* *security* *by* *obscurity* because I’m not relying on this for my security).

This way I can avoid opening all the ports >= net.inet.ip.portrange.hifirst.

Comments 2

  1. Monte wrote:

    si…certo…ho capito tutto…

    Posted 10 Dec 2007 at 22:05
  2. Mat wrote:

    ma si dai monte come fai a non capire una mazzola!! …ma alla terza linea non manca una direttiva spaghetti(*,500hg) ? mah… #)

    Posted 23 Dec 2007 at 01:17

Post a Comment

Your email is never published nor shared. Required fields are marked *