Subject: Ftp proxy working with pf (was: pf doesn't start normally anymore)
To: Peter Postma <>
From: Mipam <>
List: netbsd-users
Date: 08/11/2005 23:47:16
Hi all,

Somewhat of topic but for those who would possible find it interesting:
I use ftp-proxy to get ftp functionality for internal clients combined 
with pf.
Below are the pf rules to get it working:

# Redirect transparantly all ftp connects to the outside world to the
# loopback interace on port 8021 where ftp-proxy is listening.
rdr pass on $int_if proto tcp to port ftp -> port 8021

# Allow active ftp session to come back to ftp-proxy to make it work
# btw, i've not seen any ftp-proxy advisory so im not afraid the outside
# world can talk to ftp-proxy
pass in on $ext_if inet proto tcp from any \
to $ext_if port 55000 >< 57000 user proxy \
flags S/SA keep state

Then you'd need a line in /etc/inetd.conf to get it working: stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -n 
-p -u proxy -m 55000 -M 57000 -t 180

Of course, provided you defined the user proxy and group proxy first.
ALso enable pf in the kernel and create a node in /dev:
in /dev: sh ./MAKEDEV pf
will do the trick.