igy <igor.kos1@removee.zg.t-com.hr> wrote:
> I have some doubt about protecting ftp server behind NAT and pf.
>
>
>
> I know about new ftp-proxy in OpenBSD 3.9 (I am using it already :-)
>
> but here is question about protecting ftp server only with NAT and pf,
>
> there is no reverse ftp-proxy neither "old" nor "new" style.
>
>
>
> In pf-faq37 we find example:
>
>
>
> ftp_server = "10.0.3.21"
>
> rdr on $ext_if proto tcp from any to any port 21 -> $ftp_server port 21
>
> ...etc...
>
>
>
> Of course, there must be also:
>
> nat on $ext_if proto tcp from $internal_net to any -> $ext_if
>
>
>
>
>
> Here is my question, is it better to put more restrictive rdr statement,
> like:
>
>
>
> rdr on $ext_if proto tcp from any to $ext_if_addr port 21 -> $ftp_server
> port 21
>
> ^^^^^^^^^^^^
>
>
>
> Now, external ftp client can see only external IP address on my firewall
> ($ext_if_addr).

Yes.

> My second question is: Is it OK to put word "pass" in rdr/nat and after that
> block all, like:
>
>
>
> nat pass on $ext_if proto tcp from $internal_net to any -> $ext_if
>
> rdr pass on $ext_if proto tcp from any to $ext_if_addr port 21 ->
> $ftp_server port 21
>
> block all

I believe so, yes.

Joachim