On Sun, Feb 29, 2004 at 11:14:53PM +0100, Ed White wrote: > At the moment PF needs the help of a proxy to accept connections that start > from an external source. This means that we use ftp-proxy (for active ftp) to > analyze the control connection (from the client to the server) to accept the > data connection started by the server.
ftp-proxy's primary function is to modify payload of the control connection, and I don't see how any 'related'-like feature can replace that part of its functionality at all. The typical case is an ftp client behind a NAT gateway. The client has an unroutable local address, say 10.1.2.3. It connects out to an external ftp server, the control connection gets NATed to the gateway's external address. For an active data connection (server connecting back to client), the client tells the server what address and port to connect to, and that information is sent as payload in the control connection. As long as the client tells the external server to connect to 10.1.2.3, things don't work at all. Even the most clever 'related'-like feature on the gateway can't forward the incoming data connection to the client when the connection doesn't even arrive at the gateway, because the server tries to connect to unroutable 10.1.2.3. Daniel
