corrections and clarifications from Han Boetes <han at mijncomputer dot nl>

Thanks!

1 files changed, 20 insertions, 15 deletions

diff --git a/libexec/ftp-proxy/ftp-proxy.8 b/libexec/ftp-proxy/ftp-proxy.8
index dfd48c60b30..11b2be79dda 100644
--- a/libexec/ftp-proxy/ftp-proxy.8
+++ b/libexec/ftp-proxy/ftp-proxy.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ftp-proxy.8,v 1.24 2002/10/11 20:32:10 dhartmei Exp $
+.\"	$OpenBSD: ftp-proxy.8,v 1.25 2002/11/27 16:57:39 henning Exp $
 .\"
 .\" Copyright (c) 1996-2001
 .\"	Obtuse Systems Corporation, All rights reserved.
@@ -159,19 +159,21 @@ is run from
 and requires that FTP connections are redirected to it using a
 .Em rdr
 rule.
-A typical way to do this would be to use a rule such as
+A typical way to do this would be to use a
+.Xr pf.conf 5
+rule such as
 .Pp
-rdr on xl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 
+.Bd -literal
+  int_if = xl0
+  rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
+.Ed
 .Pp
-in
-.Xr pf.conf 5
-(this example assumes xl0 is the interface facing an internal network).
 .Xr inetd 8
 must then be configured to run
 .Nm ftp-proxy
 on the port from above using
 .Pp
-127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
+  127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
 .Pp
 in
 .Xr inetd.conf 5 .
@@ -187,29 +189,32 @@ proxy forwards it to the client.
 The
 .Xr pf.conf 5
 rules need to let pass connections to these proxy ports
-(see options -u, -m and -M above) in on the external interface.
+(see options -u, -m and -M above) out on the external interface.
 The following example allows only ports 49152 to 65535 to pass in
-statefully (assuming xl1 is the external interface):
+statefully:
 .Bd -literal
-block in on xl1 proto tcp all
-pass  in on xl1 proto tcp from any to xl1 port > 49151 keep state
+  block out on $ext_if proto tcp all
+  pass  out on $ext_if proto tcp from $ext_if to any \\
+      port > 49151 keep state
 .Ed
 .Pp
-Alternatively, rules make use of the fact that by default,
+Alternatively, rules can make use of the fact that by default,
 .Nm ftp-proxy
 runs as user "proxy" to allow the backchannel connections, as in the following example:
 .Bd -literal
-block in on xl1 proto tcp all
-pass  in on xl1 proto tcp from any to xl1 user proxy keep state
+  block out on $ext_if proto tcp all
+  pass  out on $ext_if proto tcp from $ext_if to any user proxy keep state
 .Ed
 .Sh SEE ALSO
 .Xr ftp 1 ,
 .Xr pf 4 ,
 .Xr hosts.allow 5 ,
 .Xr hosts.deny 5 ,
+.Xr inetd.conf 5 ,
 .Xr pf.conf 5 ,
+.Xr inetd 8 .
 .Xr pfctl 8 ,
-.Xr syslogd 8
+.Xr syslogd 8 .
 .Sh BUGS
 Extended Passive mode (EPSV) is not supported by the proxy and will
 not work unless the proxy is run in network address translation mode.