I'm configuring a notebook which will use PF to protect itself from the environments in which I use it, and would like to have FTP 'just work' on it -- whether it's from an explicit FTP command, from a browser, or embedded in some other program or script. Unfortunatly there doesn't seem to be any really good way to do this when a system is its own firewall; the best tool I've found so far is 'ftpsesame', which acknowledges a couple of significant problems (there's no guarantee that the PF rules changes it makes will happen in time, and inspecting packets 'on the fly' without a full TCP stack is errorprone).
I'd expect this to be a rather common desire; is there a good solution that I've missed? Suggestions are very welcome. I do notice that 4.7 has a new divert-to-userland ability that looks like it could be used to solve this problem properly, by intercepting outbound and inbound control-connection packets on the egress interface. If I read the documentation correctly, ftp-proxy has not (yet) been updated to work this way; is anyone known to be planning to do this? Thanks, Dave -- Dave Anderson <d...@daveanderson.com>