On Tue, Jun 24 2008 at 24:19, Giancarlo Razzolini wrote:
> Jon Rubio wrote:
> > Hello everyone,
> >
> > We need some help with the ftp-proxy on reverse mode. Thanks you very much
> > for your help.
> >
> > The scenario:
> > ---------------
> >
> > We have an OpenBSD firewall with two interfaces conected to Internet (bge0
> > ang bge1).
> > The first interface is used to browse internet and access all external
> > Internet services.
> > The second interface is used to manage incoming conections from our partners
> > to our internal services (www, ftp & mail).
> >
> > We have sucessfully created routing rules on the PF to route outgoing trafic
> > for www and mail services.
> > We have even sucessfully created routing rules on the PF to route outgoing
> > trafic for FTP service until it enters on passive mode (ftp authentification
> > is sucessfull).
> >
> > But on PF rules created by the ftp-proxy (dinamically) we can't find how to
> > specify to use the secondary connection, so it sends packages from the first
> > interface.
> >
> > B?Can anyone, please help us? Any idea would be appreciated.
> >
> > Thanks in advance.
> > --
> > View this message in context:
> > http://www.nabble.com/Route-ftp-proxy-pasive-mode-to-secondary-Internet-conec
> > tion-tp18100893p18100893.html
> > Sent from the openbsd user - misc mailing list archive at Nabble.com.
> >
> >
> >
> There are two solutions for this problem AFAIK. The easy, and the not so
> easy, but nice solution. The easy, is to change the default gateway of
> the firewall to be the secondary connection one. You will have to adapt
> you rules to use the primary connection for navigation traffic, because
> know, your "secondary" connection is your primary one. So the logic
> changes. The second alternative is to use the -mpath feature of ifconfig
> to set both the default gateways, and to make ftp-proxy create the rules
> using the connection you want. Take a look at -a option of it. In both
> cases you will have to select the routes using pf. I recommend that you
> do things right and use -mpath. It can even help with failover and other
> things.
>
> My regards,
You may want to look at the -T option of ftp-proxy. This way you can tag
packets for further filtering. The man page seems to describe a solution
to your problem :
-T tag The filter rules will add tag tag to data connections, and not
match quick. This way alternative rules that use the tagged key-
word can be implemented following the ftp-proxy anchor. These
rules can use special pf(4) features like route-to, reply-to, la-
bel, rtable, overload, etc. that ftp-proxy does not implement it-
self.
Claer
