The only way I could see that working is if it was to forward or redirect the connection when it had a match...for say port 21 in its rdr rules. It would still have to send that connection to a proxy which has an ip address and it has no way of doing that because it does not have an address to send from.....which is part of tcp as tcp is a connections based protocol and therefore the ftp proxy or any host would not see a packet with a src or dest. I don't even know if it could somehow forward or redirect unless its able to examine the packet needed for redirection, compare it to its arp cach and send it out the interface that has it but even then any target would have to be local connected to one of the interfaces ...have a arp entry.... because it would not know how to route....theoretically
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jefferson Ogata Sent: Wednesday, June 12, 2002 1:46 AM To: [EMAIL PROTECTED] Subject: Re: FTP Proxy with IPF 3.4.28 taproot420 wrote: > How can you use a bridge for a proxy? A bridge does not have IP protocol > addresses associated with its interfaces, it only has Ethernet > addresses. I don't think you can use a bridge for anything other than a > filtering gateway at least not network wise. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Ken Diliberto > Sent: Tuesday, June 11, 2002 5:06 PM > To: [EMAIL PROTECTED] > Subject: FTP Proxy with IPF 3.4.28 > > I tried using the FTP Proxy on my little OpenBSD 3.1 machine running as > a bridge. It appears the proxy will not kick in because the NAT engine > isn't used for the bridge. Is there any way around this? Am I doing > something wrong? It's a generic install of OpenBSD and IPF. > > Thanks. > > Ken The FTP proxy doesn't theoretically require an IP address. It just sits inline and adds rules as it observes PORT commands. It may not work, but there's no reason it couldn't work theoretically in a bridge configuration. There's no real reason NAT couldn't serve a limited function in a bridge configuration as well. Just because an address gets translated doesn't mean that the resulting address must reside on the firewall. It just needs to have arp in place so it gets routed back. Again, I'm talking theory here, not practice. -- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
