Date: Tue, 18 Jun 2013 06:32:49 -0500 From: "Mark Felder" <feld@feld.me> To: freebsd-stable@freebsd.org Cc: Rainer Duffner <rainer@ultra-secure.de> Subject: Re: Problem with ftp-proxy Message-ID: <op.wyvg0ziv34t2sn@tech304.office.supranet.net> In-Reply-To: <20130618131143.340dff14@suse3> References: <20130618131143.340dff14@suse3>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 18 Jun 2013 06:11:43 -0500, Rainer Duffner <rainer@ultra-secure.de> wrote: > Hi, > > > I use ftp-proxy, together with the patch that starts multiple instances: > I recommend avoiding ftp-proxy and setting up static rules that you know will work. On our systems in pure-ftpd.conf we set PassivePortRange 3000 3200 and then on the system's firewall and every firewall in front we pass through ports 3000-3200. It's a simple solution that's guaranteed to work, and you don't have to debug what the proxy is doing. Also, most ftp-proxy software tends to do a very bad job once you start throwing in FTPES. We see this with customer firewalls all the time. These firewall services under the guise of "proxys", "fixups", or "Application Layer Gateways" are just inconsistent and unreliable no matter which vendor supplies it. Note, you may have to make the range larger if you expect more than 200 concurrent sessions.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.wyvg0ziv34t2sn>