On Wed, Oct 30, 2002 at 11:34:16PM +0000, Roy Badami wrote: > I have to admit that I can't immediately see why ftp-proxy should need > to be patched to allow this. Isn't this just the same as the usual > case?
The usual case is ftp clients behind a NATing firewall, allowing active data connections back from the server to the client. ftp-proxy inspects and modifies the control connection stream so the server makes active data connections to the firewall's address, and then connects to the client and forwards the data. If it's the ftp server behind the firewall, you want to modify 227 replies from the server and proxy passive data connections instead. > iptables allows me to neatly sidestep this issue by defining my rules > in topological terms. I can write a rule that applies to packets sent > from interface A to interface B without having to hardwire the list of > networks into my packet filters. I don't trust routing tables to influence filter rules. You set securelevel = 2 to prevent filter rules modifications and then some BGP fuckup opens your firewall wide open? Why do you need huge lists of addresses in rule sets? I agree that duplicating them on multiple interfaces is annoying, but that's what macros are for. > (And the explicit form gets really messy when you have a network > routed out of one interface, except for a small subnet of it which > sits on another interface.) That can be covered with two simple rules with one netblock each, the second overriding the first, no? Daniel
