From owner-freebsd-pf@FreeBSD.ORG Tue Mar 11 12:27:46 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C402106566C for ; Tue, 11 Mar 2008 12:27:46 +0000 (UTC) (envelope-from rajasuperman@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.235]) by mx1.freebsd.org (Postfix) with ESMTP id D0EA68FC1C for ; Tue, 11 Mar 2008 12:27:45 +0000 (UTC) (envelope-from rajasuperman@gmail.com) Received: by wr-out-0506.google.com with SMTP id c49so1478347wra.19 for ; Tue, 11 Mar 2008 05:27:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=WP81AwK25CkJpv/Q/zYLzY2DPUwQqevty34KnaRkEYM=; b=QZ1ClMzvvjMfXxznI63sZdGNnqZbTZvcumv5GE4UqRAqMjiByuvNh/0p23DOT1ypOYKFI9uTihi4VkFO4/hlaZpNwMHwPmEe76cOS7cvLhFsIUKXUBlp3CC5tfb+o21V2/Nr5UwNeK59X/qaXcQTi4ypQ/wjY+6/hNG7qQ9CxGM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SObnQpGwnHsZeyDzSB0cAf9+W0o8BilbQuKq2p5opdUfriolXSZcwxNj9XS9mduhZ2ivRuqhe78LDe02D5fyVpr3Vzzm8M33soxAZ6T5s/lr4kuSFbVknTnrnmJgB/xzJyEREIWVFYwxeD2B5oWEXRPe0z6d/iYJRlgLsfuwBXs= Received: by 10.141.204.16 with SMTP id g16mr3982510rvq.275.1205232353815; Tue, 11 Mar 2008 03:45:53 -0700 (PDT) Received: by 10.67.94.17 with HTTP; Tue, 11 Mar 2008 03:45:53 -0700 (PDT) Message-ID: <92f9a9560803110345g638105e5rc717ac1a5aec0c5f@mail.gmail.com> Date: Tue, 11 Mar 2008 16:15:53 +0530 From: "Raja Subramanian" To: "Kurt Dethier" In-Reply-To: <47D19DE3.3000007@androme.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <47D19DE3.3000007@androme.com> Cc: freebsd-pf@freebsd.org Subject: Re: ftp-proxy and route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2008 12:27:46 -0000 On Sat, Mar 8, 2008 at 1:26 AM, Kurt Dethier wrote: > Also I think I would need a route-to and reply-to in the anchor > rules created by ftp-proxy. Is this possible ? pfSense (a firewall based on FreeBSD) has the following pftpx patch that will let you do what you need. You can pass the route-to interface/gateway IP addr in the command line. You can find pftpx-routeto here: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/pfPorts/pftpx-routeto/#dirlist You'll need to run a separate of pftpx-routeto instance for every WAN interface on your box and round-robin your ftp traffic from your LAN interface to each pftpx-routeto instance. I have this setup working nicely on my FreeBSD 6.2 machine. The ftp-proxy author is not interested in accepting this patch stating that routing decisions must not be decided by user space apps and should remain within the kernel. That said, he's come up with a clever solution -- implemented in ftp-proxy found in OpenBSD 4.2 -- ftp-proxy can include custom pf tags in the rules it automatically inserts. You can then match tagged packets in later pf rules and route the ftp traffic over appropriate links. Note that as before, you'll need a separate instance of ftp-proxy tagging for every WAN interface on your box. Let me know if you require any further help. - Raja