On Wednesday 15 June 2005 08:33, Art Okunev wrote: > Hello freebsd-pf, > > I'm in the process of migrating Linux based firewall/router to > FreeBSD (PF). > > Firewall supposed to be working in a hosting environment so actually > external interface is connected to uplink router; behind firewall > are couple of class C networks with bunch of web and FTP servers. > > The only thing I am missing from Linux is ip_conntrack_ftp kernel > module which monitors the traffic on port 21 and dynamically opens > the higher no (data) ports that the control on port 21 asks for. > > Maybe I'm wrong but it seems that ftp-proxy only works for ftp > clients behind ftp-proxy. > > Another bad thing about this setup is that networks behind firewall > managed by our clients so it is not possible to know IP addresses of > FTP servers and ephemeral port ranges they are using. > > So far I have to put something like: > > pass all proto tcp from any port 1024:65535 to any port 1024:65535 > > in order to allow passive FTP (I hate this idea!). > > Is there any "correct" way to configure PF to allow passive mode ftp > connection to FTP servers behind firewall without having to open > higher ports for all network range?
Did you see: http://www.sentia.org/projects/ftpsesame/ ? -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpP1Gd5FUPqr.pgp
Description: PGP signature
