ipfilter(4) needs maintainer
Kimmo Paasiala
kpaasial at gmail.com
Mon Apr 15 11:01:59 UTC 2013
On Mon, Apr 15, 2013 at 1:54 PM, Kimmo Paasiala <kpaasial at gmail.com> wrote:
> On Mon, Apr 15, 2013 at 1:50 PM, Lev Serebryakov <lev at freebsd.org> wrote:
>> Hello, Kimmo.
>> You wrote 15 апреля 2013 г., 14:47:24:
>>
>> KP> I'm however talking about an ftp client behind a very restrictive
>> KP> firewall making an IPv6 connection an ftp server that uses passive
>> KP> mode data ports that can't be known in advance.
>> Same solution -- inspection of connections to 21 port, without any
>> address translation. And if FTP server uses non-standard control
>> port, yes, here is a problem, but it cannot be solved with NAT too
>> (or your NAT/firewall should expect each and every connection for FTP
>> commands, which is heavy and error-prone task).
>>
>
> Mmm, are you thinking of the way Linux iptables handles this scenario
> with a kernel mode helper? I don't think any of the three packet
> filters in FreeBSD has a functionality like that yet.
>
> -Kimmo
To elaborate on this, Linux iptables has a "related" qualifier for
rules and the "related" traffic is identified by kernel mode helpers,
ftp is one example for their use.
-Kimmo
More information about the freebsd-net
mailing list