On Tue, 23 Mar 2004, Russell Fulton wrote: > I'm about to try out ftpsesame on our firewall. The system is set up > as a bridge and I only filter on $ext_if. > > I intend running ftpsesame as > ftpsesame -i $ext_if > > # ftp rules > anchor ftpsesame out on $ext_if > pass in quick on $ext_if proto tcp from any to (<ftpc_in> port=21 flags S/SA > modulate state > anchor ftpsesame in on $ext_if proto tcp from any to <ftpc_in> > > > I want ftpsesame to handle all outbound and inbound ftp traffic. > > Outbound we have other rules which control whether particular addresses > have internet access on not, > Inbound we have a table <ftpc_in> which lists all addresses on campus > that have inbound access on port 21. > > Will this do what I want?
To be sure: <ftpc_in> contains _servers_ that can be accessed from the internet right? Then yes, this will work ok to allow active and passive mode to the servers listed in <ftpc_in>. However, if you allow ftp from campus users to the internet, active mode will not work. You might want to consider the more general: anchor ftpsesame on $ext_if proto tcp all
