On 10/3/06, Peter Allgeyer <[EMAIL PROTECTED]> wrote:
Hi Scott, hi Bill!
Am Dienstag, den 03.10.2006, 10:05 -0400 schrieb Scott Ullrich:
> With the afterfilterchangeshellcmd command. It is run every time a
> filter change occurs as the last item. So you can override *ANYTHING*
> the system does including launching your own scripts or launching a
> custom ftpsesame process.
No, as I told you already, the system_start_ftp_helpers() is launched
_after_ filter_configure_sync in /etc/rc.bootup. And ftpsesame is killed
by "killall" in system_start_ftp_helpers() after been started in
filter_configure_sync :-( So, you can see, that the
afterfilterchangeshellcmd command isn't any solution for that problem.
When I'm posting lines of source code, you can believe me that I have
bravely taken a look at it ;-)
Yes, but the filter reloads yet again on final bootup, and it is the
final thing to run, and you could work your magic at this point.
OK, I'll write my own code, since I'm experienced enough. I wanted a
clean solution for all users, but that's apparently not the goal here.
People will further cry at the forum that ftp isn't working. I do know
the reason why and now you know too.
The goal here is to satisfy 99% of the users, which we have done. If
someone really wants a FTP server on their dmz, then they can open up
the port range that is required by the FTP server.
> I cannot think of any way to cleanly solve this problem. In addition
> the entire FTP situation has me a little burned out at this point. I
> just want to get 1.0 out the door, relax a bit then revisit the
> problem for a future version.
Yes FTP is a shame. But it's used in many places and the solution isn't
to tell people not to use it (though I'm of the same opinion as Bill is,
don't use "bad" protocols over a FW). And think of the other bad
designed - i case of firewalls - protocols like SIP, PPTP, many
meeting/colaboration protocols ...
BTW: I do love the way the netfilter connection tracking modules in
linux are solving that problem and don't know any reason why that code
isn't adapted by the pf devs. There must be any reason for not using
such an API. I'll have to search why. Maybe you can give me a link.
Maybe because its linux? FreeBSD != Linux, but I am sure you know this.
> However, don't let me distract you from trying. If you can figure out
> a solution I am all ears.
I'll try to find one that will fit 99.999% of all users. Point 3) isn't
solved and I do not know how, but give me some time.
See above, DMZ's should simply punch the port range open on the firewall.
Scott
