From owner-freebsd-stable@FreeBSD.ORG Tue Jun 18 20:30:28 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 41C8A8F8 for ; Tue, 18 Jun 2013 20:30:28 +0000 (UTC) (envelope-from rainer@ultra-secure.de) Received: from mail.ultra-secure.de (mail.ultra-secure.de [78.47.114.122]) by mx1.freebsd.org (Postfix) with ESMTP id 881D811CC for ; Tue, 18 Jun 2013 20:30:26 +0000 (UTC) Received: (qmail 59806 invoked by uid 89); 18 Jun 2013 20:29:52 -0000 Received: by simscan 1.4.0 ppid: 59801, pid: 59803, t: 0.0598s scanners: attach: 1.4.0 clamav: 0.97.3/m:54/d:17374 Received: from unknown (HELO ?212.71.117.84?) (rainer@ultra-secure.de@212.71.117.84) by mail.ultra-secure.de with ESMTPA; 18 Jun 2013 20:29:52 -0000 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Subject: Re: Problem with ftp-proxy From: Rainer Duffner In-Reply-To: Date: Tue, 18 Jun 2013 22:29:51 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <83C1CB74-FFB3-453B-8D7B-BFDC9ED6FA80@ultra-secure.de> References: <20130618131143.340dff14@suse3> To: "Mark Felder" X-Mailer: Apple Mail (2.1508) Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2013 20:30:28 -0000 Am 18.06.2013 um 13:32 schrieb "Mark Felder" : > On Tue, 18 Jun 2013 06:11:43 -0500, Rainer Duffner = wrote: >=20 >> Hi, >>=20 >>=20 >> I use ftp-proxy, together with the patch that starts multiple = instances: >>=20 >=20 > I recommend avoiding ftp-proxy and setting up static rules that you = know will work. On our systems in pure-ftpd.conf we set >=20 > PassivePortRange 3000 3200 >=20 > and then on the system's firewall and every firewall in front we pass = through ports 3000-3200. It's a simple solution that's guaranteed to = work, and you don't have to debug what the proxy is doing. >=20 > Also, most ftp-proxy software tends to do a very bad job once you = start throwing in FTPES. We see this with customer firewalls all the = time. These firewall services under the guise of "proxys", "fixups", or = "Application Layer Gateways" are just inconsistent and unreliable no = matter which vendor supplies it. >=20 > Note, you may have to make the range larger if you expect more than = 200 concurrent sessions. Hi, thanks for the hint. I didn't get that to work right away, either=85. But while I worked through various documentations and tutorials, I = checked if net.inet.ip.forwarding was actually set to 1. It wasn't, even though sysctl.conf had it set. After re-applying it, things started to work again=85 Best Regards, Rainer=