Pf ftp-proxy and TLS
From MyWiki
Just finished fixing my pf rules to allow FTP connection with TLS encryption on. It boiled down to pf's ftp-proxy getting in the way while FTP control channel should be encrypted as part of TLS session.
Thanks to this post I was able to figure it out :-)
So I had to exclude my ISP's FTP server from going through the proxy:
# Blacknight FTPS high port range # TCP 41000 to 42000 bn_ftp_srv = "78.153.215.243" bn_ftp_ports = "{ ftp, ftp-data, ftps, ftps-data, 41000:42000}" # FTP proxy # # bn_ftp_srv - Blacknight FTP server excluded to allow for TLS (see extra rules for it further down) # nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr pass on $wired_if proto tcp from $wired_if:network to {!$bn_ftp_srv, any} port ftp -> $ftp_proxy port 8021 rdr pass on $wifi_if proto tcp from $wifi_if:network to {!$bn_ftp_srv, any} port ftp -> $ftp_proxy port 8021 # Allow everything to and from Blacknight FTP server pass in on $wifi_if proto tcp from $wifi_if:network to $bn_ftp_srv port $bn_ftp_ports pass out on $ext_if proto tcp from $ext_if to $bn_ftp_srv port $bn_ftp_ports