My home network has a firewall with two IP addresses, one is the
primary
external address used with NAT for my internal network as a whole, the
second
is an external address used with binat for a particular machine.
The IP address for the binat is numerically lower (.38) than the main
external
address (.100, same subnet).
The /etc/hostname.if file contains .100 as the primary address and .38
as
an alias.
I run ftp-proxy with -n on the firewall. Specifically,
127.0.0.1:8021 stream tcp nowait root
/usr/libexec/ftp-proxy ftp-proxy -n -w -r
The three key pf.conf rules are:
nat on $ext_if from $INT_NET to any -> <.100 address>
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port
8021
binat on $ext_if from <special machine ip> to any -> <.38 address>
Up until OpenBSD 3.3, I had no problems with this setup. Now, however,
I run into the following problem when attempting to FTP from any
machine
on the internal network other than the binatted machine:
If a passive FTP connection is used, the data connection comes from the
numerically lower external IP address on the firewall (.38) rather than
the primary IP (.100), which means that passive FTP no longer works.
The
control connection still comes from .100 as expected, but there's a
mismatch between the data and control connections.
Has anyone encountered this problem before? Is there a solution that
doesn't require making the lower IP the primary address?
It appears to me that the problem is that where .38 used to be listed
as an alias and as the second IP on the interface, it is now listed
as the first IP on the interface and ifconfig doesn't identify either
IP as an "alias".
--
Jim Lippard lippard_(_at_)_discord_(_dot_)_org http://www.discord.org/
GPG Key ID: 0xF8D42CFE