问题描述：Ive基于FreeBSD的Apache Web服务器。
我需要允许传出的ftp客户端请求，以便可以从各种ftp站点下载BSD端口集合。
如何在FreeBSD或OpenBSD操作系统下通过PF网络防火墙软件允许传出FTP连接？

解决方法：您需要使用ftp-proxy，它是Internet文件传输协议的代理。
默认情况下，ftp-proxy和PF防火墙一起安装。

步骤1：在FreeBSD下开启ftp-proxy

在FreeBSD下打开/etc/rc.conf文件

# vi /etc/rc.conf

追加以下行：

ftpproxy_enable="YES"

如果您使用的是OpenBSD，请执行以下命令以在引导时启动ftp代理：

echo 'ftpproxy_flags=""' >>/etc/rc.conf.local

默认情况下，在8021端口上的ftp代理侦听绑定到127.0.0.1 IP地址。

步骤2：配置pf和ftp-proxy

打开/etc/pf.conf文件，然后在NAT部分中添加以下内容：要激活该文件，请在pf.conf的NAT部分中放置以下内容：

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

即使您的设置未使用NAT，也必须满足所有这三个规则。
找到您的过滤规则并追加以下规则：

anchor "ftp-proxy/*"

保存并关闭文件。

pf.conf规则示例

/etc/pf.conf文件示例，该文件允许传出ftp以及ssh，http，dns服务。
它仅允许在端口53、80上传入流量：

#### First declare a couple of variables ####
# outgoing services
tcp_services = "{ ssh, smtp, domain, www, https, ntp, 43}"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 
ext_if = "em1" # Internet
int_if = "em0" # vpn / lan
 
proxy="127.0.0.1" # ftp proxy IP
proxyport="8021" # ftp proxy port
 
#### Normalization
scrub in all
 
#### NAT and RDR start
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
 
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
 
#### Start filtering 
# Drop incoming everything
block in all
 
# Default connection refused message to client 
block return  
 
# keep stats of outging connections
pass out keep state
 
# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
 
# Unlimited traffic for lo0 and VPN/Lan interface
set skip on {lo0, $int_if}
 
# activate spoofing protection for all interfaces
block in quick from urpf-failed
 
# Antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if
 
#Block RFC 1918 addresses
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
 
 
# Allow outgoing via ssh, smtp, domain, www, https, whois etc
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
 
# Allow outgoing Trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
 
# Allow incomming named udp / tcp 53
pass in on $ext_if proto udp from any to any port 53
# All tcp service protected using synproxy
pass in on $ext_if proto tcp from any to any port 53 flags S/SA synproxy state
# Allow http traffic
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy modulate state
# SSH 
pass in on $ext_if proto tcp from any to any port 22 flags S/SA synproxy modulate state
# Allow ICMP ping
pass inet proto icmp all icmp-type $icmp_types keep state

步骤3：重新启动PF防火墙

在FreeBSD下执行以下命令：

# /etc/rc.d/pf restart

或者在OpenBSD下执行以下内容(在FreeBSD下也可以使用)：

# pfctl -nf /etc/pf.conf
# pfctl -f /etc/pf.conf

步骤4：启动ftp-proxy

执行以下命令以在FreeBSD下启动ftp-proxy：

# /etc/rc.d/ftp-proxy start

在OpenBSD下，您只需执行以下内容即可启动ftp-proxy：

# /usr/sbin/ftp-proxy

测试您的设置

使用ftp客户端测试您的测试，执行：

$ ftp ftp.freebsd.org