On Thu, 22 Jun 2006, Dylan Martin wrote: > Hi, I've got a bridge firewall protecting some FTP servers. In the > past I've used ftpsesame to let people on the internet use passive > connections to my FTP servers. I hear that ftp-proxy in 3.9 is > supposed to have the functionality of ftpsesame, so I'm trying to > figure out how to make that work.
No, they're not equivalent. See http://marc.theaimsgroup.com/?l=openbsd-pf&m=112172929023243&w=2 In short, keep using ftpsesame for bridges. > >From looking at the man page, it looks like I redirect new ftp > connections to ftp-proxy, and "-R ip-addr" tells it how to behave. My > problem is that I have two FTP servers. Can I run two instances of > ftp-proxy without them clobbering eachother? That seams like the > answer, but I'm nervous they'll screw up eachother's rules in the > anchors. It was designed to allow exactly that. If you run "pfctl -sA -vv" you can see the sub-anchors that look like this (must have active FTP sessions): [EMAIL PROTECTED]:/home/camield $ sudo pfctl -sA -vv ftp-proxy ftp-proxy/18669.23768 The first number is the pid of the ftp-proxy that created that sub-anchor, the second is the session id (which you can match to the # number in the logging): Jun 23 07:41:53 qbert ftp-proxy[18669]: #23768 passive: client to server port 42708 via port 65144 So, you can run as many simultaneous proxies as you want. -- Cam
