From owner-freebsd-pf@FreeBSD.ORG Wed Jun 15 23:15:05 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DE1916A41C for ; Wed, 15 Jun 2005 23:15:05 +0000 (GMT) (envelope-from 000.fbsd@quip.cz) Received: from home.quip.cz (r3ar5.chello.upc.cz [213.220.235.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15F3F43D49 for ; Wed, 15 Jun 2005 23:15:02 +0000 (GMT) (envelope-from 000.fbsd@quip.cz) Received: from [192.168.1.2] (qwork.quip.test [192.168.1.2]) by home.quip.cz (Postfix) with ESMTP id 49B077CFE for ; Thu, 16 Jun 2005 01:15:00 +0200 (CEST) Message-ID: <42B0B674.1010403@quip.cz> Date: Thu, 16 Jun 2005 01:15:00 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: cs, cz, en, en-us MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <105247053.20050615163349@okunev.com> <200506151337.13051.max@love2party.net> In-Reply-To: <200506151337.13051.max@love2party.net> X-Enigmail-Version: 0.85.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FTP reverse proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2005 23:15:05 -0000 Is ftpsesame working on FreeBSD 5.4? I found ftpsesame webpage a few days ago, but available downloads is marked as Download ftpsesame-0.91 for OpenBSD 3.4 and 3.5. Download ftpsesame-0.95 for OpenBSD 3.6. Max Laier wrote: > On Wednesday 15 June 2005 08:33, Art Okunev wrote: > >>Hello freebsd-pf, >> >> I'm in the process of migrating Linux based firewall/router to >> FreeBSD (PF). >> >> Firewall supposed to be working in a hosting environment so actually >> external interface is connected to uplink router; behind firewall >> are couple of class C networks with bunch of web and FTP servers. >> >> The only thing I am missing from Linux is ip_conntrack_ftp kernel >> module which monitors the traffic on port 21 and dynamically opens >> the higher no (data) ports that the control on port 21 asks for. >> >> Maybe I'm wrong but it seems that ftp-proxy only works for ftp >> clients behind ftp-proxy. >> >> Another bad thing about this setup is that networks behind firewall >> managed by our clients so it is not possible to know IP addresses of >> FTP servers and ephemeral port ranges they are using. >> >> So far I have to put something like: >> >> pass all proto tcp from any port 1024:65535 to any port 1024:65535 >> >> in order to allow passive FTP (I hate this idea!). >> >> Is there any "correct" way to configure PF to allow passive mode ftp >> connection to FTP servers behind firewall without having to open >> higher ports for all network range? > > > Did you see: > http://www.sentia.org/projects/ftpsesame/ ? > -- Miroslav Lachman Webapplication Developer