On 2010-03-16, J.C. Roberts <[email protected]> wrote: > On Tue, 16 Mar 2010 12:39:01 -0400 (EDT) Dave Anderson ><[email protected]> wrote: > >> >I see two options: >> > >> >1. pass out >> >> This can work for passive FTP if one is willing to allow outbound >> connections to all non-privileged ports, but is useless for active >> FTP.
do you really need active mode on such a machine anyway, though? by demanding firewalling, you are already doing things that you know will make life difficult for ftp. >> >2. ftp-proxy(8) >> >> Unless I've missed something, this is useless when the FTP connection >> originates on the system where ftp-proxy is running -- the control >> connection packets must traverse some interface in the inbound >> direction for PF to be able to redirect them to ftp-proxy. > > No. Just configure your app to use the proxy bound to localhost:port. > Many apps can pick this up automatically when you have FTP_PROXY= > defined in your shell, but others might require further configuration. FTP_PROXY is to use an http proxy to talk to ftp servers. ftp-proxy(8) doesn't support this, it can only pick the address by looking up the address from the PF state. anything else is going to run into the same problem as running a client directly unless it has specific support for PF. with what's available now, ftpsesame has the best chance of working.
