From owner-freebsd-current@FreeBSD.ORG Mon Apr 15 11:01:59 2013 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A07C9629; Mon, 15 Apr 2013 11:01:59 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) by mx1.freebsd.org (Postfix) with ESMTP id DEF5C693; Mon, 15 Apr 2013 11:01:58 +0000 (UTC) Received: by mail-wi0-f177.google.com with SMTP id hm14so1395721wib.16 for ; Mon, 15 Apr 2013 04:01:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=LMuPrt462S9z9AkXH3kvHdYSkGOhjzIYZGD51/6lLnU=; b=GFyZycfgLGW4imyNjNF/9bO4uSfdE/wvAtuP+rimb1KXC7DW3DDJIpVpkdSUG0ayan VbJ1Y8w5p8ZbYTUQQwy316d+nJxGX1fTVdipeScpic/7lg+CmVLXlf3BAuF19Abfp4e7 Ic7+pRQ+2rXhELr7nmEM4+yls7t//wnsTahx7deMEibTa9/PzZeWOkYXehl6IAF7NlR4 NvwakhCv2nS1yPWkLWsF+saFHDJKEuq07/Z9fweU/O/dNdhOEMROeA1hyYQyhZY5NTt/ cur9O4xbUfUqv+RuSuYf1qS0a9Vz2tNVljKWDyR9iWKa6AuU15Ypj8cWuSEPTiMDlK+P b6FQ== MIME-Version: 1.0 X-Received: by 10.180.97.233 with SMTP id ed9mr10955574wib.32.1366023718020; Mon, 15 Apr 2013 04:01:58 -0700 (PDT) Received: by 10.216.139.72 with HTTP; Mon, 15 Apr 2013 04:01:57 -0700 (PDT) In-Reply-To: References: <20130411201805.GD76816@FreeBSD.org> <20130414160648.GD96431@in-addr.com> <36562.1365960622.5652758659450863616@ffe10.ukr.net> <201304150025.07337.Mark.Martinec+freebsd@ijs.si> <951943801.20130415141536@serebryakov.spb.ru> <195468703.20130415143237@serebryakov.spb.ru> <621849003.20130415144428@serebryakov.spb.ru> <66408799.20130415145023@serebryakov.spb.ru> Date: Mon, 15 Apr 2013 14:01:57 +0300 Message-ID: Subject: Re: ipfilter(4) needs maintainer From: Kimmo Paasiala To: lev@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Mark Martinec , freebsd-net@freebsd.org, current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2013 11:01:59 -0000 On Mon, Apr 15, 2013 at 1:54 PM, Kimmo Paasiala wrote: > On Mon, Apr 15, 2013 at 1:50 PM, Lev Serebryakov wrote: >> Hello, Kimmo. >> You wrote 15 =D0=B0=D0=BF=D1=80=D0=B5=D0=BB=D1=8F 2013 =D0=B3., 14:47:24= : >> >> KP> I'm however talking about an ftp client behind a very restrictive >> KP> firewall making an IPv6 connection an ftp server that uses passive >> KP> mode data ports that can't be known in advance. >> Same solution -- inspection of connections to 21 port, without any >> address translation. And if FTP server uses non-standard control >> port, yes, here is a problem, but it cannot be solved with NAT too >> (or your NAT/firewall should expect each and every connection for FTP >> commands, which is heavy and error-prone task). >> > > Mmm, are you thinking of the way Linux iptables handles this scenario > with a kernel mode helper? I don't think any of the three packet > filters in FreeBSD has a functionality like that yet. > > -Kimmo To elaborate on this, Linux iptables has a "related" qualifier for rules and the "related" traffic is identified by kernel mode helpers, ftp is one example for their use. -Kimmo