Date: Wed, 15 Jun 2005 16:33:49 +1000 From: Art Okunev <art@okunev.com> To: freebsd-pf@freebsd.org Subject: FTP reverse proxy Message-ID: <105247053.20050615163349@okunev.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hello freebsd-pf, I'm in the process of migrating Linux based firewall/router to FreeBSD (PF). Firewall supposed to be working in a hosting environment so actually external interface is connected to uplink router; behind firewall are couple of class C networks with bunch of web and FTP servers. The only thing I am missing from Linux is ip_conntrack_ftp kernel module which monitors the traffic on port 21 and dynamically opens the higher no (data) ports that the control on port 21 asks for. Maybe I'm wrong but it seems that ftp-proxy only works for ftp clients behind ftp-proxy. Another bad thing about this setup is that networks behind firewall managed by our clients so it is not possible to know IP addresses of FTP servers and ephemeral port ranges they are using. So far I have to put something like: pass all proto tcp from any port 1024:65535 to any port 1024:65535 in order to allow passive FTP (I hate this idea!). Is there any "correct" way to configure PF to allow passive mode ftp connection to FTP servers behind firewall without having to open higher ports for all network range? -- Best regards, Art mailto:art@okunev.com [-- Attachment #2 --] -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCr8vN9Cyfi5N8P54RAo41AJkBwWCgzFvkmTEKBygoDOiV1RUDbQCffz58 K5jeQPzeFhxpt9ftwomQhdQ= =+yAX -----END PGP MESSAGE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?105247053.20050615163349>