Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Apr 2013 14:01:57 +0300
From:      Kimmo Paasiala <kpaasial@gmail.com>
To:        lev@freebsd.org
Cc:        Mark Martinec <Mark.Martinec+freebsd@ijs.si>, freebsd-net@freebsd.org, current@freebsd.org
Subject:   Re: ipfilter(4) needs maintainer
Message-ID:  <CA%2B7WWSfoeRoU3D-iHwdcQwNGrE=D7vxvuey4yEm921D=41OfGA@mail.gmail.com>
In-Reply-To: <CA%2B7WWSeBEhmeAynU6mCEJdPEmcReQ1HCMQaVh=WmBdM9orqqcw@mail.gmail.com>
References:  <20130411201805.GD76816@FreeBSD.org> <20130414160648.GD96431@in-addr.com> <36562.1365960622.5652758659450863616@ffe10.ukr.net> <201304150025.07337.Mark.Martinec%2Bfreebsd@ijs.si> <951943801.20130415141536@serebryakov.spb.ru> <CA%2B7WWSeODqdP1_7MDs6=BiGF%2BDSR62w21uu4hS3PtTDBkmshsg@mail.gmail.com> <195468703.20130415143237@serebryakov.spb.ru> <CA%2B7WWSdbEx7Kbc0WOBNLc-vH19DdKK7L-xORO8SepKcMQR2xEg@mail.gmail.com> <621849003.20130415144428@serebryakov.spb.ru> <CA%2B7WWSeXLC6mJXB9zv2p3e1Q-z2Xf3mH9h0SqOmiXWRGLFs4GA@mail.gmail.com> <66408799.20130415145023@serebryakov.spb.ru> <CA%2B7WWSeBEhmeAynU6mCEJdPEmcReQ1HCMQaVh=WmBdM9orqqcw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Apr 15, 2013 at 1:54 PM, Kimmo Paasiala <kpaasial@gmail.com> wrote:
> On Mon, Apr 15, 2013 at 1:50 PM, Lev Serebryakov <lev@freebsd.org> wrote:
>> Hello, Kimmo.
>> You wrote 15 =D0=B0=D0=BF=D1=80=D0=B5=D0=BB=D1=8F 2013 =D0=B3., 14:47:24=
:
>>
>> KP> I'm however talking about an ftp client behind a very restrictive
>> KP> firewall making an IPv6 connection an ftp server that uses passive
>> KP> mode data ports that can't be known in advance.
>>   Same solution -- inspection of connections to 21 port, without any
>>  address translation. And if FTP server uses non-standard control
>>  port, yes, here is a problem, but it cannot be solved with NAT too
>>  (or your NAT/firewall should expect each and every connection for FTP
>>  commands, which is heavy and error-prone task).
>>
>
> Mmm, are you thinking of the way Linux iptables handles this scenario
> with a kernel mode helper? I don't think any of the three packet
> filters in FreeBSD has a functionality like that yet.
>
> -Kimmo

To elaborate on this, Linux iptables has a "related" qualifier for
rules and the "related" traffic is identified by kernel mode helpers,
ftp is one example for their use.

-Kimmo

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2B7WWSfoeRoU3D-iHwdcQwNGrE=D7vxvuey4yEm921D=41OfGA>