It works! with these lines inside pf.conf, not very nice solution but it works: pass in on $int_if route-to ($ext_if1 $ext_gw1)} proto tcp from $lan_net to \ port 21 keep state pass in on $int_if route-to ($ext_if $ext_gw1)} proto tcp from $lan_net to \ port >1023 keep state hope this help to other people. Daniel - network engineer On 02/12/2007, Daniel Porres <chancleta@xxxxxxxxx> wrote: > thanks for the reply, I've seen that the ftp_passive is enabled on > squid by default, so it's no needed to enable. > Later thinking about this again, Im going to try without squid as ftp > proxy because it should be dificult to select only ftp trafic from the > squid machine because is mixed on the same port with http trafic. > So to solve the problem, I will send ftp conections through only one > adsl, what makes ftp work without problems for a user inside the LAN > conecting to an ftp server in passive mode. > > I will put this rules on pf.conf of the openbsd firewall. > > pass in on $int_if route-to ($ext_if1 $ext_gw1)} proto tcp from $lan_net to \ > !vpn_net port 21 keep state > > #ports on ftp openbsd servers > #acording to openbsd documentation > pass in on $int_if route-to ($ext_if1 $ext_gw1)} proto tcp from $lan_net to \ > !$vpn_net port >49151 keep state > > #ports in ftp passive servers > #acording to wikipedia > pass in on $int_if route-to ($ext_if $ext_gw1)} proto tcp from $lan_net to \ > port >1023 keep state > > > I haven't try it yet, tomorrow let's see if it works. > Any comment would be much appreciated. > > Regards, > - > Daniel > network engineer > > > On 02/12/2007, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > Daniel Porres wrote: > > > Hi friends, > > > > > > Im having some problems making possible a FTP connection (control and > > > data). Very often control connection establishes in one adsl and the > > > data connection by the other dsl, and the far server don't like that. > > > Im thinking to use squid ftp proxy under the firewall in other machine > > > and procces the data for later send all ftp to the open bsd firewall. > > > I dont know how to identify ftp squid data to send it only by one adsl > > > and solve the problem of the load balancing with ftp conections. > > > > > > Thanks, > > > > Have you tried with "ftp_passive on"? > > That should be making the remote server setup the data connection. > > > > Amos > > >
