On 2010-03-12, Vadim Zhukov <[email protected]> wrote: > Hm-m. I think ftp-proxy itself should be fixed instead. What if target > FTP server is not on egress? (yes, my workaround proposal was bad at > that too)? Dropping "on egress" will be stupid because this will > definitely allow more connections than intended. > > Basic algorithm for fix as I see it: > > s = socket(); > bind(s); > getsockname(s, sa); > add_peer_rule(sa, dest); > connect(dest);
Hmm. I think it's more flexible to have an explicit rule, then people can choose interfaces, add rule options, etc, as they wish. For example ftp-proxy has no way to tell which interface you might want to permit.
