FTP reverse proxy
Max Laier
max at love2party.net
Wed Jun 15 11:37:18 GMT 2005
On Wednesday 15 June 2005 08:33, Art Okunev wrote:
> Hello freebsd-pf,
>
> I'm in the process of migrating Linux based firewall/router to
> FreeBSD (PF).
>
> Firewall supposed to be working in a hosting environment so actually
> external interface is connected to uplink router; behind firewall
> are couple of class C networks with bunch of web and FTP servers.
>
> The only thing I am missing from Linux is ip_conntrack_ftp kernel
> module which monitors the traffic on port 21 and dynamically opens
> the higher no (data) ports that the control on port 21 asks for.
>
> Maybe I'm wrong but it seems that ftp-proxy only works for ftp
> clients behind ftp-proxy.
>
> Another bad thing about this setup is that networks behind firewall
> managed by our clients so it is not possible to know IP addresses of
> FTP servers and ephemeral port ranges they are using.
>
> So far I have to put something like:
>
> pass all proto tcp from any port 1024:65535 to any port 1024:65535
>
> in order to allow passive FTP (I hate this idea!).
>
> Is there any "correct" way to configure PF to allow passive mode ftp
> connection to FTP servers behind firewall without having to open
> higher ports for all network range?
Did you see:
http://www.sentia.org/projects/ftpsesame/ ?
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050615/033e5aa2/attachment.bin
More information about the freebsd-pf
mailing list