[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP reverse proxy



On Wednesday 15 June 2005 08:33, Art Okunev wrote:
> Hello freebsd-pf,
>
>   I'm in the process of migrating Linux based firewall/router to
>   FreeBSD (PF).
>
>   Firewall supposed to be working in a hosting environment so actually
>   external interface is connected to uplink router; behind firewall
>   are  couple of class C networks with bunch of web and FTP servers.
>
>   The  only  thing  I am missing from Linux is ip_conntrack_ftp kernel
>   module  which  monitors the traffic on port 21 and dynamically opens
>   the higher no (data) ports that the control on port 21 asks for.
>
>   Maybe  I'm  wrong  but  it  seems  that ftp-proxy only works for ftp
>   clients behind ftp-proxy.
>
>   Another  bad thing about this setup is that networks behind firewall
>   managed by our clients so it is not possible to know IP addresses of
>   FTP servers and ephemeral port ranges they are using.
>
>   So far I have to put something like:
>
>   pass all proto tcp from any port 1024:65535 to any port 1024:65535
>
>   in order to allow passive FTP (I hate this idea!).
>
>   Is there any "correct" way to configure PF to allow passive mode ftp
>   connection  to  FTP  servers  behind firewall without having to open
>   higher ports for all network range?

Did you see:
http://www.sentia.org/projects/ftpsesame/ ?

-- 
/"\  Best regards,                      | mlaier_(_at_)_freebsd_(_dot_)_org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier_(_at_)_EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Attachment: pgpVEG0MG9wvX.pgp
Description: PGP signature