From owner-freebsd-pf@FreeBSD.ORG Sat Jul 8 18:22:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65D0116A4DF for ; Sat, 8 Jul 2006 18:22:57 +0000 (UTC) (envelope-from phoemix@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA92E43D46 for ; Sat, 8 Jul 2006 18:22:56 +0000 (GMT) (envelope-from phoemix@harmless.hu) Received: from localhost (localhost [127.0.0.1]) by marvin (Postfix) with ESMTP id C005920001CB; Sat, 8 Jul 2006 20:22:54 +0200 (CEST) Received: from marvin.harmless.hu ([127.0.0.1]) by localhost (marvin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13251-08; Sat, 8 Jul 2006 20:22:53 +0200 (CEST) Received: by marvin (Postfix, from userid 1000) id 1F1E620001C9; Sat, 8 Jul 2006 20:22:53 +0200 (CEST) Date: Sat, 8 Jul 2006 20:22:53 +0200 To: Dmitry Andrianov Message-ID: <20060708182252.GA18258@marvin.harmless.hu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i From: phoemix@harmless.hu (Gergely CZUCZY) X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at harmless.hu Cc: freebsd-pf@freebsd.org Subject: Re: proxies X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 18:22:57 -0000 --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 08, 2006 at 12:32:13PM +0400, Dmitry Andrianov wrote: > Hello. > =20 > On Linux there are conntrack "modules" for many protocols available > which: > 1. identify related connections and let them go through firewall (like > FTP data is related to FTP control) > 2. Let things work through NAT - translate addresses in the FTP control > connections, identify different PPTP connections even if they go to the > same endpoint etc > =20 > So the question is: does pf have anything similar? I'm most interested > in FTP, RPC and establishing multiple PPTP connections through NAT to > the same endpoint. > =20 > Currently I use ftpsesame for FTP - it does its job great but it is FTP > specific solution obviously, RPC would requirs another application > listening for traffic (bpf) and changing firewall. Is there a more clean > way? we do it a bit different way. man ftp-proxy that's for FTP, but a similar program can be constructed for different protocolls the connection is redirected to the -proxy application, which mines out from the state table where it ought to go, it connects to there, and acts like a proxy all the way. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --5mCyUwZo2JvN/JJP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEr/f8bBsEN0U7BV0RAgduAJ9ccCnvo0fvlv1UUMRq0utXLtiFDwCffFTl cJTkgW+Z1BLO2lLGgTd9jZc= =myNz -----END PGP SIGNATURE----- --5mCyUwZo2JvN/JJP--