From owner-freebsd-current@FreeBSD.ORG Mon Apr 15 10:54:50 2013 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 7D845DE2; Mon, 15 Apr 2013 10:54:50 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) by mx1.freebsd.org (Postfix) with ESMTP id BA2743FD; Mon, 15 Apr 2013 10:54:49 +0000 (UTC) Received: by mail-wi0-f181.google.com with SMTP id hj19so334837wib.8 for ; Mon, 15 Apr 2013 03:54:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=zA9LvDmKcJZOtlFnL79gdLDn0H3qjNSSSzgHsuaKF28=; b=mUpuHrBM+/K6/KGLlZUkRK/zdlb7aFjo9Cc7Ys3+JCpOmEDpWGPDLxv5xCy91wQwTB sQMQeB7l2HbfEcjRuyX8JMkVOg+j/rDa2xwbXiDgsM7/+DB7gJ+Z2A+bkjM7UknZWeuT ut+VSEdzQ3VVhSXCipPfaoU8jPUiqTWheRxh3vPNXaHSa4emHI0BJYYEG738n/LLU1PN l1oj6KVFyU37YxicQnZoxV7Gb/lX6m/CfTpPi89aLqxlpIew1gf0v7PYHOJdAi/jQxOM XEtzGddpIs2we09Nc8aRWRgQpEpTkevmhLy26Y8RQGKAR8cXKuNmFA5yZ9HcXtCT4oQ9 ETIw== MIME-Version: 1.0 X-Received: by 10.194.60.195 with SMTP id j3mr31172222wjr.33.1366023288898; Mon, 15 Apr 2013 03:54:48 -0700 (PDT) Received: by 10.216.139.72 with HTTP; Mon, 15 Apr 2013 03:54:48 -0700 (PDT) In-Reply-To: <66408799.20130415145023@serebryakov.spb.ru> References: <20130411201805.GD76816@FreeBSD.org> <20130414160648.GD96431@in-addr.com> <36562.1365960622.5652758659450863616@ffe10.ukr.net> <201304150025.07337.Mark.Martinec+freebsd@ijs.si> <951943801.20130415141536@serebryakov.spb.ru> <195468703.20130415143237@serebryakov.spb.ru> <621849003.20130415144428@serebryakov.spb.ru> <66408799.20130415145023@serebryakov.spb.ru> Date: Mon, 15 Apr 2013 13:54:48 +0300 Message-ID: Subject: Re: ipfilter(4) needs maintainer From: Kimmo Paasiala To: lev@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Mark Martinec , freebsd-net@freebsd.org, current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2013 10:54:50 -0000 On Mon, Apr 15, 2013 at 1:50 PM, Lev Serebryakov wrote: > Hello, Kimmo. > You wrote 15 =D0=B0=D0=BF=D1=80=D0=B5=D0=BB=D1=8F 2013 =D0=B3., 14:47:24: > > KP> I'm however talking about an ftp client behind a very restrictive > KP> firewall making an IPv6 connection an ftp server that uses passive > KP> mode data ports that can't be known in advance. > Same solution -- inspection of connections to 21 port, without any > address translation. And if FTP server uses non-standard control > port, yes, here is a problem, but it cannot be solved with NAT too > (or your NAT/firewall should expect each and every connection for FTP > commands, which is heavy and error-prone task). > Mmm, are you thinking of the way Linux iptables handles this scenario with a kernel mode helper? I don't think any of the three packet filters in FreeBSD has a functionality like that yet. -Kimmo