On Tue, 16 Mar 2010, Stuart Henderson wrote:
>On 2010-03-16, J.C. Roberts <[email protected]> wrote:
>> On Tue, 16 Mar 2010 12:39:01 -0400 (EDT) Dave Anderson
>><[email protected]> wrote:
>>
>>> >I see two options:
>>> >
>>> >1. pass out
>>>
>>> This can work for passive FTP if one is willing to allow outbound
>>> connections to all non-privileged ports, but is useless for active
>>> FTP.
>
>do you really need active mode on such a machine anyway, though?
>by demanding firewalling, you are already doing things that you know
>will make life difficult for ftp.
I'd like to have a system where everything 'just works' once I get it
set up; since AFAIK there are still things out there which don't
transparently use passive FTP, I'd like to have active FTP work.
If it can't be done with any reasonable amount of effort I'll settle for
less, but (to me) it's worth some effort investigating.
>>> >2. ftp-proxy(8)
>>>
>>> Unless I've missed something, this is useless when the FTP connection
>>> originates on the system where ftp-proxy is running -- the control
>>> connection packets must traverse some interface in the inbound
>>> direction for PF to be able to redirect them to ftp-proxy.
>>
>> No. Just configure your app to use the proxy bound to localhost:port.
>> Many apps can pick this up automatically when you have FTP_PROXY=
>> defined in your shell, but others might require further configuration.
>
>FTP_PROXY is to use an http proxy to talk to ftp servers.
>
>ftp-proxy(8) doesn't support this, it can only pick the address by
>looking up the address from the PF state.
>
>anything else is going to run into the same problem as running a
>client directly unless it has specific support for PF.
>
>with what's available now, ftpsesame has the best chance of working.
Thanks,
Dave
--
Dave Anderson
<[email protected]>
