ftp-proxy and route-to

Raja Subramanian rajasuperman at gmail.com
Tue Mar 11 12:27:46 UTC 2008


On Sat, Mar 8, 2008 at 1:26 AM, Kurt Dethier
<kurt-list-freebsd at androme.com> wrote:
> Also I think I would need a route-to and reply-to in the anchor
> rules created by ftp-proxy. Is this possible ?

pfSense (a firewall based on FreeBSD) has the following pftpx patch that will
let you do what you need.  You can pass the route-to interface/gateway IP addr
in the command line.  You can find pftpx-routeto here:

http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/pfPorts/pftpx-routeto/#dirlist

You'll need to run a separate of pftpx-routeto instance for every WAN interface
on your box and round-robin your ftp traffic from your LAN interface to each
pftpx-routeto instance.  I have this setup working nicely on my FreeBSD 6.2
machine.


The ftp-proxy author is not interested in accepting this patch stating that
routing decisions must not be decided by user space apps and should
remain within the kernel.

That said, he's come up with a clever solution -- implemented in ftp-proxy
found in OpenBSD 4.2 -- ftp-proxy can include custom pf tags in the rules it
automatically inserts.  You can then match tagged packets in later pf rules
and route the ftp traffic over appropriate links.

Note that as before, you'll need a separate instance of ftp-proxy tagging
for every WAN interface on your box.

Let me know if you require any further help.

- Raja


More information about the freebsd-pf mailing list