Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Jun 2005 13:37:04 +0200
From:      Max Laier <max@love2party.net>
To:        freebsd-pf@freebsd.org, Art Okunev <art@okunev.com>
Subject:   Re: FTP reverse proxy
Message-ID:  <200506151337.13051.max@love2party.net>
In-Reply-To: <105247053.20050615163349@okunev.com>
References:  <105247053.20050615163349@okunev.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
--nextPart4721502.WL7hUlFlmH
Content-Type: text/plain;
  charset="iso-8859-6"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wednesday 15 June 2005 08:33, Art Okunev wrote:
> Hello freebsd-pf,
>
>   I'm in the process of migrating Linux based firewall/router to
>   FreeBSD (PF).
>
>   Firewall supposed to be working in a hosting environment so actually
>   external interface is connected to uplink router; behind firewall
>   are  couple of class C networks with bunch of web and FTP servers.
>
>   The  only  thing  I am missing from Linux is ip_conntrack_ftp kernel
>   module  which  monitors the traffic on port 21 and dynamically opens
>   the higher no (data) ports that the control on port 21 asks for.
>
>   Maybe  I'm  wrong  but  it  seems  that ftp-proxy only works for ftp
>   clients behind ftp-proxy.
>
>   Another  bad thing about this setup is that networks behind firewall
>   managed by our clients so it is not possible to know IP addresses of
>   FTP servers and ephemeral port ranges they are using.
>
>   So far I have to put something like:
>
>   pass all proto tcp from any port 1024:65535 to any port 1024:65535
>
>   in order to allow passive FTP (I hate this idea!).
>
>   Is there any "correct" way to configure PF to allow passive mode ftp
>   connection  to  FTP  servers  behind firewall without having to open
>   higher ports for all network range?

Did you see:
http://www.sentia.org/projects/ftpsesame/ ?

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart4721502.WL7hUlFlmH
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQBCsBLoXyyEoT62BG0RAjf0AJ9y7pGaAvgAlpMuzz2oaW28AzzjjACePLNB
ouU1ejy6EKWyMDKMt40TGxo=
=82Fh
-----END PGP SIGNATURE-----

--nextPart4721502.WL7hUlFlmH--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506151337.13051.max>