Date: Tue, 11 Mar 2008 16:15:53 +0530 From: "Raja Subramanian" <rajasuperman@gmail.com> To: "Kurt Dethier" <kurt-list-freebsd@androme.com> Cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy and route-to Message-ID: <92f9a9560803110345g638105e5rc717ac1a5aec0c5f@mail.gmail.com> In-Reply-To: <47D19DE3.3000007@androme.com> References: <47D19DE3.3000007@androme.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 8, 2008 at 1:26 AM, Kurt Dethier <kurt-list-freebsd@androme.com> wrote: > Also I think I would need a route-to and reply-to in the anchor > rules created by ftp-proxy. Is this possible ? pfSense (a firewall based on FreeBSD) has the following pftpx patch that will let you do what you need. You can pass the route-to interface/gateway IP addr in the command line. You can find pftpx-routeto here: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/pfPorts/pftpx-routeto/#dirlist You'll need to run a separate of pftpx-routeto instance for every WAN interface on your box and round-robin your ftp traffic from your LAN interface to each pftpx-routeto instance. I have this setup working nicely on my FreeBSD 6.2 machine. The ftp-proxy author is not interested in accepting this patch stating that routing decisions must not be decided by user space apps and should remain within the kernel. That said, he's come up with a clever solution -- implemented in ftp-proxy found in OpenBSD 4.2 -- ftp-proxy can include custom pf tags in the rules it automatically inserts. You can then match tagged packets in later pf rules and route the ftp traffic over appropriate links. Note that as before, you'll need a separate instance of ftp-proxy tagging for every WAN interface on your box. Let me know if you require any further help. - Raja
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?92f9a9560803110345g638105e5rc717ac1a5aec0c5f>