From owner-freebsd-stable@FreeBSD.ORG Tue Jun 18 11:32:57 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CCBAEACA for ; Tue, 18 Jun 2013 11:32:57 +0000 (UTC) (envelope-from feld@feld.me) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) by mx1.freebsd.org (Postfix) with ESMTP id A1E381134 for ; Tue, 18 Jun 2013 11:32:56 +0000 (UTC) Received: from compute4.internal (compute4.nyi.mail.srv.osa [10.202.2.44]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id E97D020902; Tue, 18 Jun 2013 07:32:49 -0400 (EDT) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute4.internal (MEProxy); Tue, 18 Jun 2013 07:32:49 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h= content-type:to:subject:references:date:cc:mime-version :content-transfer-encoding:from:message-id:in-reply-to; s= mesmtp; bh=77ClNfZwoTg7zaR5tVvPRW3Ozkk=; b=LgBMp7ExDHMx+TJRH9ZZA 9XE5W1lRQRcZNLd84jug1UO+EU4WhbrJAYc837z2aWtRpX8GpTix0Qt8CSDA6Tge 5rQDu55xqFdrv6qaWS0IzRcjwVbi29VVQVYsSZGs/qbDqe0PaEpL89d2AbHwbfca 0c/Ul7p4dke76HkIqSTkiU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:to:subject:references:date :cc:mime-version:content-transfer-encoding:from:message-id :in-reply-to; s=smtpout; bh=77ClNfZwoTg7zaR5tVvPRW3Ozkk=; b=UJ2K 3fKrLlKAw001GdP6xY1Sd8rBZYfylB3HWvM5MEZlvFYAIkFFl1dWUn8uuERC6bka aD2Ph7fDGCnT3SqkKvk7eSLCPWk6DUt+vqp3QNf+fh/YagY+R4ZP1JIoZ62XyuIH Z1idExrGmwoFmKB6hr+8FauNdPu0HEfB1wNSAdQ= X-Sasl-enc: 0DT4YLj6cTHSyKcXV8ILXxBzsbFLwLdKcTgAmDD6JUO7 1371555169 Received: from tech304.office.supranet.net (unknown [66.170.8.18]) by mail.messagingengine.com (Postfix) with ESMTPA id AEAA46801FF; Tue, 18 Jun 2013 07:32:49 -0400 (EDT) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes To: freebsd-stable@freebsd.org Subject: Re: Problem with ftp-proxy References: <20130618131143.340dff14@suse3> Date: Tue, 18 Jun 2013 06:32:49 -0500 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Mark Felder" Message-ID: In-Reply-To: <20130618131143.340dff14@suse3> User-Agent: Opera Mail/12.15 (FreeBSD) Cc: Rainer Duffner X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2013 11:32:57 -0000 On Tue, 18 Jun 2013 06:11:43 -0500, Rainer Duffner wrote: > Hi, > > > I use ftp-proxy, together with the patch that starts multiple instances: > I recommend avoiding ftp-proxy and setting up static rules that you know will work. On our systems in pure-ftpd.conf we set PassivePortRange 3000 3200 and then on the system's firewall and every firewall in front we pass through ports 3000-3200. It's a simple solution that's guaranteed to work, and you don't have to debug what the proxy is doing. Also, most ftp-proxy software tends to do a very bad job once you start throwing in FTPES. We see this with customer firewalls all the time. These firewall services under the guise of "proxys", "fixups", or "Application Layer Gateways" are just inconsistent and unreliable no matter which vendor supplies it. Note, you may have to make the range larger if you expect more than 200 concurrent sessions.