From 3e51ca17c4db1376906d4a8a07e1e5ec7e13cb19 Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Wed, 27 Nov 2002 19:43:47 +0000 Subject: I fucked up. The manpage was correct before my last commit. noticed by Daniel. To unconfuse it a bit, add a little clarification. ok dhartmei@ --- libexec/ftp-proxy/ftp-proxy.8 | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libexec/ftp-proxy/ftp-proxy.8 b/libexec/ftp-proxy/ftp-proxy.8 index 11b2be79dda..969b2b80439 100644 --- a/libexec/ftp-proxy/ftp-proxy.8 +++ b/libexec/ftp-proxy/ftp-proxy.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ftp-proxy.8,v 1.25 2002/11/27 16:57:39 henning Exp $ +.\" $OpenBSD: ftp-proxy.8,v 1.26 2002/11/27 19:43:46 henning Exp $ .\" .\" Copyright (c) 1996-2001 .\" Obtuse Systems Corporation, All rights reserved. @@ -189,12 +189,12 @@ proxy forwards it to the client. The .Xr pf.conf 5 rules need to let pass connections to these proxy ports -(see options -u, -m and -M above) out on the external interface. +(see options -u, -m and -M above) in on the external interface. The following example allows only ports 49152 to 65535 to pass in statefully: .Bd -literal - block out on $ext_if proto tcp all - pass out on $ext_if proto tcp from $ext_if to any \\ + block in on $ext_if proto tcp all + pass in on $ext_if proto tcp from any to $ext_if \\ port > 49151 keep state .Ed .Pp @@ -202,9 +202,12 @@ Alternatively, rules can make use of the fact that by default, .Nm ftp-proxy runs as user "proxy" to allow the backchannel connections, as in the following example: .Bd -literal - block out on $ext_if proto tcp all - pass out on $ext_if proto tcp from $ext_if to any user proxy keep state + block in on $ext_if proto tcp all + pass in on $ext_if proto tcp from any to $ext_if user proxy keep state .Ed +These examples do not cover the connections from the proxy to the +foreign ftp server. If one does not pass outgoing connections by default +additional rules are needed. .Sh SEE ALSO .Xr ftp 1 , .Xr pf 4 , -- cgit v1.2.3