BiNat and ftp-proxy for webhosting on OBSD 3.1 -release

["Shaun Sturby" <shaun@optrics.com>]

Hello all,

Here is an interesting challenge to chew on.
Due to the ISP we use for web hosting declaring bankruptcy we had to move
multiple servers last weekend to a new ISP.

Wanting to increase security and make the job of moving ISP's (which I hope
we never have to) easier. I suggested that we put in an OpenBSD firewall.
The BINAT feature is what sold me as we could leave the servers on the old
IP's and do a 1:1 two way NAT with our new IP space. In an abbreviated lab
test it worked well and things that I didn't expect to work just did. |:-O

I had done a fair bit reading and knew that the ftp protocol, and PASV
connections was going to be a bit of a bear to work around but there was an
ftp-proxy service and the setup looked fairly straight forward.

In my further reading on ftp-proxy all the examples assume that either the
clients are being NAT'ed out one IP as in a typical LAN or that there is
only one ftp server that needs to be contacted behind the firewall.

Q1. Does any one have experience with this scenario that they would like to
share?
Multiple ftp servers behind a BINAT firewall.

I know 3.2 is about to be released and it has a lot of enhancements to pf
so..

Q2. Does this scenario work better in OBSD 3.2?

Thanks in advance for any pointers.

Shaun Sturby, MCSE
Network Specialist
Optrics Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Optrics Inc. and FundSoft - Canadian Ipswitch Premier Partners
Email: shaun@optrics.com Website: <http://www.optrics.com>
Snail: Suite 100 4911 - 114 St. Edmonton, AB, Canada, T6H 3L5
Tel:(780) 466-6016 Toll Free: 1-877-386-3763 Fax:(780) 432-5630
Solutions for a Connected World: <http://www.optrics.com/linecard.htm>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



___________________________________________________________________________________

IMail Server has scanned this e-mail for viruses using Declude Virus from Optrics.com