On Fri, 12 Mar 2010 00:23:00 +0000 (UTC) Stuart Henderson wrote:

quoted text
> On 2010-03-11, Christopher Zimmermann <madroach@zakweb.de> wrote:
> > Hi,
> >
> > my -current firewall is configured to block all in, block all out 
> > and allow only certain outbound connections.
> >
> > Now I want to allow outbound ftp connections.
> >
> > I read ftp-proxy(8) and 
> > http://openbsd.org/faq/pf/ftp.html#client.
> >
> > As I understand it, ftp-proxy could be used to create rules for 
> > inbound and outbound connections on 4.6. Now on -current the rdr 
> > keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) 
> > suggests using rdr-to, but this only works for inbound 
> > connections.
> >
> > Is it possible to allow ftp connections from a local client to
> > public ftp serves on the internet? Possibly by using ftp-proxy?
> 
> I suspect your understanding of "inbound" is from the viewpoint
> of your network; PF doesn't care about that at all, it's only
> concerned with whether a packet is inbound or outbound to a
> particular interface.

ok, thanks. Thats clear. I don't have a whole net. Its just a 
single workstation, using pppoe0 to reach the internet. So the 
ftp client is running on the firewall, not behind it. The packets 
will be outbound on my pppoe0, but not inbound any any interface, 
will they?

quoted text
> rdr only works for inbound connections too.

As I unterstood it, it works _only_ for inbound connections.

quoted text
> A rule like the following works just fine for a ftp connection
> from a local client to a public ftp server:
> 
> pass in quick log on {lan, wifi, natted} inet proto tcp \
>     to port 21 rdr-to 127.0.0.1

Isn't this just the example from the default pf.conf with
"on {...}" added and port 8021 left away?

After reading http://www.openbsd.org/faq/current.html#20090901

it seems to me that it is in fact not possible at the moment to 
use a ftp-client on a firewall until the current restrictio on 
rdr-to in pfctl will be removed. Is this true?


Chrisotpher