Pf ftp-proxy and TLS
From MyWiki
(Difference between revisions)
(Created page with 'Just finished fixing my pf rules to allow FTP connection with TLS encryption on. It boiled down to pf's ftp-proxy getting in the way while FTP control channel should be encrypted…') |
m (Protected "Pf ftp-proxy and TLS" ([edit=sysop] (indefinite) [move=sysop] (indefinite)) [cascading]) |
Current revision as of 14:17, 4 January 2012
Just finished fixing my pf rules to allow FTP connection with TLS encryption on. It boiled down to pf's ftp-proxy getting in the way while FTP control channel should be encrypted as part of TLS session.
Thanks to this post I was able to figure it out :-)
So I had to exclude my ISP's FTP server from going through the proxy:
# Blacknight FTPS high port range
# TCP 41000 to 42000
bn_ftp_srv = "78.153.215.243"
bn_ftp_ports = "{ ftp, ftp-data, ftps, ftps-data, 41000:42000}"
# FTP proxy
#
# bn_ftp_srv - Blacknight FTP server excluded to allow for TLS (see extra rules for it further down)
#
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $wired_if proto tcp from $wired_if:network to {!$bn_ftp_srv, any} port ftp -> $ftp_proxy port 8021
rdr pass on $wifi_if proto tcp from $wifi_if:network to {!$bn_ftp_srv, any} port ftp -> $ftp_proxy port 8021
# Allow everything to and from Blacknight FTP server
pass in on $wifi_if proto tcp from $wifi_if:network to $bn_ftp_srv port $bn_ftp_ports
pass out on $ext_if proto tcp from $ext_if to $bn_ftp_srv port $bn_ftp_ports
