On Mon, Feb 06, 2006 at 04:52:48PM -0500, der Mouse wrote:
> Does pf special-case FTP?  I set up a pf firewall (3.0) that's supposed
> to allow anything as long as the connection is opened by the inside
> side.  I would have expected this to allow passive mode FTP to work.
> 
> But it doesn't work (though it's by no means determined that pf is the
> reason), and http://www.openbsd.org/faq/pf/ftp.html seems to imply that
> ftp-proxy is necessary to make even *passive* mode FTP work, which
> seems majorly broken - why should FTP's connections be any different
> from any other outgoing connections?
> 
> Any thoughts?
> 
> /~\ The ASCII				der Mouse
> \ / Ribbon Campaign
>  X  Against HTML	       mouse@rodents.montreal.qc.ca
> / \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

PF does not special case anything. This is a packet filter.
Look at the -n flag for ftp-proxy.. passive FTP will work through
PF just fine without ftp-proxy. ftp-proxy is necessary for active
mode FTP sessions.