Greetings All,
I have been looking around for some detailed instructions on how best
to handle ftp through a pf firewall but I can't find anything. When I
get through I'll try and produce such a doc if it does not exist.
>From the number of questions I found on the mailing list archive this
topic causes quite a bit of confusion.
My understanding it that although pf does stateful inspection it is not
protocol aware and is therefore not 'smart enough' to detect the port
commands and add those sessions to the state table. (Note I am not
saying that it should!). My understanding that most of the 'commercial'
firewalls are protocol aware -- at least for ftp.
I take it that the preferred approach is to take all outgoing and
incoming sessions on port 21 and redirect them to a proxy which runs on
the firewall (or some other box). I am still trying to find the ftp
proxy in the OBSD distro (i386 3.4 CD) - any hints? The only package
with proxy in the name was transproxy -- is this it????
So, assuming that I have the proxy running I then need to rdr incoming
request to the port where the proxy is running, that should be straight
forward. Then comes all the messy stuff with the data connection: to
make this work you need to have to make sure the the proxy has the
necessary access to the high numbered ports to make both active and
passive ftp work. (I have to sit down with a pen and paper and a copy
of Stevens to work out exactly what is required -- I always get
confused).
So my questions are: Where do I get a suitable ftp proxy? and Are there
any docs on setting them up?
Cheers and Thanks,
Russell
--
Russell Fulton /~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
New Zealand / \ Email!
