B Stuart Henderson <[email protected]> hat am 12. MC$rz 2010 um 11:46 geschrieben:
> On 2010-03-12, Christopher Zimmermann <[email protected]> wrote: > > On Fri, 12 Mar 2010 00:23:00 +0000 (UTC) Stuart Henderson wrote: > >> > As I understand it, ftp-proxy could be used to create rules for > >> > inbound and outbound connections on 4.6. Now on -current the rdr > >> > keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) > >> > suggests using rdr-to, but this only works for inbound > >> > connections. > >> > > >> > Is it possible to allow ftp connections from a local client to > >> > public ftp serves on the internet? Possibly by using ftp-proxy? > >> > >> I suspect your understanding of "inbound" is from the viewpoint > >> of your network; PF doesn't care about that at all, it's only > >> concerned with whether a packet is inbound or outbound to a > >> particular interface. > > > > ok, thanks. Thats clear. I don't have a whole net. Its just a > > single workstation, using pppoe0 to reach the internet. So the > > ftp client is running on the firewall, not behind it. The packets > > will be outbound on my pppoe0, but not inbound any any interface, > > will they? > > > >> rdr only works for inbound connections too. > > > > As I unterstood it, it works _only_ for inbound connections. > > yes, that's what I said; there's no change though: > > in 4.6,B B B rdrB B only works for inbound connections > in -current rdr-to only works for inbound connections > > ftp-proxy never was applicable to this sort of situation.. ok. That was my question. Thanks! > > it seems to me that it is in fact not possible at the moment to > > use a ftp-client on a firewall until the current restrictio on > > rdr-to in pfctl will be removed. Is this true? > > you'll need add rules to allow the connections through if you want > to do this.B So essentially I have to allow inbound connections to the range between net.inet.ip.porthifirst net.inet.ip.porthilast for active ftp and allowing outbound connections from ports >1023 for passive ftp?
