From owner-freebsd-pf@FreeBSD.ORG Wed Jun 15 11:37:17 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAED516A41C for ; Wed, 15 Jun 2005 11:37:17 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E62E43D55 for ; Wed, 15 Jun 2005 11:37:17 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E34D.dip.t-dialin.net [84.163.227.77] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML25U-1DiWCp1KyG-0001IK; Wed, 15 Jun 2005 13:37:15 +0200 From: Max Laier To: freebsd-pf@freebsd.org, Art Okunev Date: Wed, 15 Jun 2005 13:37:04 +0200 User-Agent: KMail/1.8 References: <105247053.20050615163349@okunev.com> In-Reply-To: <105247053.20050615163349@okunev.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4721502.WL7hUlFlmH"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506151337.13051.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: FTP reverse proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2005 11:37:18 -0000 --nextPart4721502.WL7hUlFlmH Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 15 June 2005 08:33, Art Okunev wrote: > Hello freebsd-pf, > > I'm in the process of migrating Linux based firewall/router to > FreeBSD (PF). > > Firewall supposed to be working in a hosting environment so actually > external interface is connected to uplink router; behind firewall > are couple of class C networks with bunch of web and FTP servers. > > The only thing I am missing from Linux is ip_conntrack_ftp kernel > module which monitors the traffic on port 21 and dynamically opens > the higher no (data) ports that the control on port 21 asks for. > > Maybe I'm wrong but it seems that ftp-proxy only works for ftp > clients behind ftp-proxy. > > Another bad thing about this setup is that networks behind firewall > managed by our clients so it is not possible to know IP addresses of > FTP servers and ephemeral port ranges they are using. > > So far I have to put something like: > > pass all proto tcp from any port 1024:65535 to any port 1024:65535 > > in order to allow passive FTP (I hate this idea!). > > Is there any "correct" way to configure PF to allow passive mode ftp > connection to FTP servers behind firewall without having to open > higher ports for all network range? Did you see: http://www.sentia.org/projects/ftpsesame/ ? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4721502.WL7hUlFlmH Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCsBLoXyyEoT62BG0RAjf0AJ9y7pGaAvgAlpMuzz2oaW28AzzjjACePLNB ouU1ejy6EKWyMDKMt40TGxo= =82Fh -----END PGP SIGNATURE----- --nextPart4721502.WL7hUlFlmH--