How to enable ftp client to access ftp server behind FreeBSD firewall

Jephe Wu -

Objective: allow the users on the LAN who are using Squid proxy ( to be able to access ftp sites.
Environment: OpenBSD 4.5(, Squid client( behind this OpenBSD firewall

Internet[]OpenBSD4.5[]<->[]Squid/Web/DNS server
                                                              <->[]sysadmin pc

1. modify /etc/rc.conf to enable ftpproxy
vi /etc/rc.conf to change ftpproxy_flag from NO to YES

2. enable pf.conf for ftp outgoing and incoming web/dns requests


set block-policy return
set loginterface $ext_if

set skip on lo

# scrub incoming pcakets like you cannot set both SYN and FIN
scrub in all

# ftpproxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> port 8021

# let squid proxy act as web server and dns server
rdr pass on $ext_if proto tcp from any to port {80,443} ->
rdr pass on $ext_if proto udp from any to port 53 ->

# squid proxy server can go to anywhere
nat pass on $ext_if from to any ->

# setup a default deny policy
block in all

# activate spoofing protection for all interfaces
block in quick from urpf-failed

# anchor for ftpproxy
anchor "ftp-proxy/*"

# pass tcp, udp, and icmp out on the external (Internet) interface.
# tcp connections will be modulated, udp/icmp will be tracked statefully
pass out modulate state

antispoof quick for { lo $int_if }
pass in quick on $ext_if inet proto icmp all icmp-type { echorep, timex, unreach }

pass in quick on $ext_if proto udp to port 53 keep state
pass in quick on $ext_if proto tcp to port {80,443} synproxy state

# use synproxy for internal host
pass in quick on $int_if proto tcp from to $int_if port ssh synproxy state

# allow admin pc for anything
pass in quick on $int_if from

3. startup ftp proxy

pfctl -f /etc/pf.conf