[OpenBSD] ftp-proxy and ephemeral port

As you may already know, FTP is a pain in the a** for firewall configuration and doesn’t work well through NAT. Hopefully OpenBSD propose an elegant solution: diverting FTP traffic through a proxy server while dynamically modify Packet Filter’s rules on the fly 🙂

This proxy is very simple to enable. Just add something like this in your PF setting file:

anchor "ftp-proxy/*"
pass in quick on $int_if proto tcp to port 21 divert-to port 8021

Then start the ftp-proxy daemon. By default it’s bound on TCP 8021.

Now you may encounter a connection issue with some ‘old’ FTP client in active mode. The reason for that is that ftp-proxy doesn’t strictly follow the RFC 959. In order to avoid port collisions ftp-proxy use an ephemeral port as a source port instead of the port 20. To force a very ‘RFC-compliant’ behaviour add the option -r to startup like this:

vi /etc/rc.conf.local


rsnapshot is a utility for making local and remote backup. It is written in perl and use rsync for data transfert, and hard-link for deduplication. You can find more information about it, on the official website.