Rule for connecting to ftp server outside network

sadburger

Hello,

We have recently started testing pfSense to replace some of our old OpenBSD boxes, rather than just upgrading them to the newer version. So far I am enjoying the ease of use, and configuration utilities in the GUI. However, we have run into one problem in particular – allowing internal clients to access FTP sites that are external to our network.

I have searched around a lot, and for the most part I can only find posts relating to the opposite-- allowing external access to an internal FTP server.

Our company security policy dictates that we do egress port blocking in addition to ingress, which is what is causing the trouble. If I allow all outbound traffic, things work smoothly, but with pfSense I am not sure how to configure the machine to act as an ftp-proxy. With our old pf firewalls on OpenBSD, this could be achieved with something similiar to:

nat-anchor "ftp-proxy/"
rdr-anchor "ftp-proxy/"
rdr pass on $lanif proto tcp from $lanif:network to any port 21 -> 127.0.0.1 port 8021
pass in quick on $lanif inet proto tcp $lanif:network to $lanif port 8021

Don't have a config in front of me, going from some notes and memory, but that should be pretty close

There is currently no NAT being done on the pfSense box right now, as it is not the edge firewall for the network but sits between two private segments.

Any hints?