Solved PF: How to NAT FTP?

[pantera]

My NAT rule is as below:

nat on $wan from <users> to any -> $pool round-robin
scrub on $wan reassemble tcp
pass in log on $lan inet from <users> to any
pass out log all

But I cannot log in to FTP sites. But with this rule yesterday I logged in to ftp sites. I don't know what is the issue.

 

[SirDice]

This explains the issue quite well: Active FTP vs. Passive FTP, a Definitive Explanation.

 

[pantera]

I can not connect even in passive mode.
I'm not permitted to directory listing as showed in error
Cod you give an example of configuration?

Bad IP Connectivity Error

 

[SirDice]

I'm not permitted to directory listing as showed in error

That's the problem with FTP. It creates a new connection for data. Depending on passive or active it's the server or the client that opens a port. The problems begin when both sides are firewalled, then neither active nor passive will work.

 

[pantera]

It always appears when I try to open ftp.FreeBSD.org.

 

[pantera]

But when I use zenmate, it opens. How should the pf rules be?

 

[stig]

Hi pantera

Maybe the section 30.3.3.2. Creating an FTP Proxy in the FreeBSD handbook solves your problem. https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html

Alternative try look at The book of PF (author Peter N. M. Hansteen) - I think the sample chapter has a section about FTP.

Best regards

 

[pantera]

Solved