As you may already know, FTP is a pain in the a** for firewall configuration and doesn’t work well through NAT. Hopefully OpenBSD propose an elegant solution: diverting FTP traffic through a proxy server while dynamically modify Packet Filter’s rules on the fly 🙂
This proxy is very simple to enable. Just add something like this in your PF setting file:
anchor "ftp-proxy/*"
pass in quick on $int_if proto tcp to port 21 divert-to 127.0.0.1 port 8021
Then start the ftp-proxy daemon. By default it’s bound on TCP 8021.
Now you may encounter a connection issue with some ‘old’ FTP client in active mode. The reason for that is that ftp-proxy doesn’t strictly follow the RFC 959. In order to avoid port collisions ftp-proxy use an ephemeral port as a source port instead of the port 20. To force a very ‘RFC-compliant’ behaviour add the option -r to startup like this:
vi /etc/rc.conf.local
ftpproxy_flags="-r"