ftp problem

[J65nko]

On Thu, Jan 7, 2010 at 10:19 PM, M. Keith Thompson
<m.keith.thompson at gmail.com> wrote:
> On Thu, Jan 7, 2010 at 2:37 PM, J65nko <j65nko at gmail.com> wrote:
>>> # SSH from NetEng subnet
>>> pass in quick log on $ext_if proto tcp from $net_eng to $ext_if port
>>> 22 keep state
>>>
>>> # Allow inside network to ping the server
>>> pass in quick on $ext_if proto icmp from $pingers to $ext_IP keep state
>>>
>>> # Allow DNS lookups
>>> pass out quick on $ext_if proto udp to any port 53
>>> pass out quick on $ext_if proto tcp to any port 53 keep state
>>>
>>> # Allow ftp
>>> pass in quick on $ext_if proto tcp from any to $ext_IP port 21 keep state
>>> pass in quick on $ext_if proto tcp from any to $ext_IP port > 49151 keep state
>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
>>> port 20 keep state
>>>
>>> --- end of pf.conf  ----------------------

With ftp the client initiates the ftp command channel
   client:port >1023   ---> server:port 21

The passive ftp data channel is initiated by the client
    client:port >1023  ---> server:port>1023

Your second rule takes care of this

The active ftp data channel is initiated by the ftp server
using and that is kind of weird, port 20 (ftp-data), as source port.
      server:port 20   ---> clientLport >1023

You meant to pass active ftp with this rule:

>>> pass in quick on $ext_if proto tcp from any port > 10000 to $ext_IP
>>> port 20 keep state

But it should be:
    pass out quick on $ext_if inet proto tcp from any port ftp-data
    to $ext_IP port > 10000 keep state

BTW you have a nice pf debug friendly "block log all" default policy.
Does "tcpdump -eni pflog0" on the pf box show any blocked packets?

RE: ftp-proxy
This just adds complexitiy, after everything is working you could add it in.

RE: active ftp user requirement
Yes, I understand, it is the users who help us pay our mortgage ;)