Hi,
I had an idea...
At the moment PF needs the help of a proxy to accept connections that start
from an external source. This means that we use ftp-proxy (for active ftp) to
analyze the control connection (from the client to the server) to accept the
data connection started by the server.
Q: How could we solve this with PF itself ?
A: Introducing the new feature "permit state" 8-)
We accept a connection from the destination of the packet that matched the
"permit state" rule. This option is "keep state" on steroid.
Example:
pass out inet proto tcp from $user to $server port 21 permit state
PF already checks every packet with the state table, so it should be easy to
add an option to be verified. If a packet matches a "permit state" rule it
will be passed. As soon as the "permit state" is removed from the table those
packets would not match any state and so the ruleset will be evaluated.
Until the state created by the above rule is in the table, PF will behave like
if the following rule had been added.
pass in inet proto tcp from $server to $user
Some features
- active ftp without proxy
- multiplayer games without special ruleset for every server
- h.323 and other protocol without proxy
- compatible with NAT
- mergeable with other options like restriction for ports number, number of
concurrent connections and most of today PF features
w00t !
Ed
