Pf ftp-proxy and TLS

From MyWiki

Just finished fixing my pf rules to allow FTP connection with TLS encryption on. It boiled down to pf's ftp-proxy getting in the way while FTP control channel should be encrypted as part of TLS session.

Thanks to this post I was able to figure it out :-)

So I had to exclude my ISP's FTP server from going through the proxy:

# Blacknight FTPS high port range
#  TCP 41000 to 42000
bn_ftp_srv = "78.153.215.243"
bn_ftp_ports = "{ ftp, ftp-data, ftps, ftps-data, 41000:42000}"

# FTP proxy
# 
# bn_ftp_srv - Blacknight FTP server excluded to allow for TLS (see extra rules for it further down)
# 
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $wired_if proto tcp from $wired_if:network to {!$bn_ftp_srv, any} port ftp -> $ftp_proxy port 8021
rdr pass on $wifi_if proto tcp from $wifi_if:network to {!$bn_ftp_srv, any} port ftp -> $ftp_proxy port 8021

# Allow everything to and from Blacknight FTP server
pass in on $wifi_if proto tcp from $wifi_if:network to $bn_ftp_srv port $bn_ftp_ports
pass out on $ext_if proto tcp from $ext_if to $bn_ftp_srv port $bn_ftp_ports