On Mon, 18 Jul 2005, Daniel T. Staal wrote: > My setup is fairly simple: I have a NATed home network with several users > and a web host that I serve a couple of websites off of. Ideally, of > course, I'd like everything to Just Work: active and passive, both from > all the clients and to the server. I'm just wondering what parts should > be delegated to which handler, or if some direction/connection should be > left off. > > >From a scan of the man pages, ftpsesame looks to be able to handle just > about everything except active client connections, and ftp-proxy seems to > be able to handle everything major, but requires a lot of ports open. > What else should I consider?
Warning: I wrote two of the three available proxies... There are 3 options (in order of age): 1) ftp-proxy 2) ftpsesame 3) pftpx (but now available in OpenBSD _cvs_ in usr.sbin/ftp-proxy) ftp-proxy is a "real" proxy. With the help of pf rdr it intercepts the control connection and opens real (tcp) data connections on the users behalf. Except if you use the -n mode, where it assumes that passive connections are allowed globally by the pf ruleset. ftpsesame use bpf to "sniff" the control connections. To allow the data connections it commits rules into a special anchor. Advantages: totally passive, works on a bridge as well. Disadvantages: can not handle NAT situations well, since it cannot rewrite commands in the control connection. It can also be racy, eg. that rules are not commited in time, but that does not seem be a problem in practice. pftpx uses a combination. It intercepts the control connection with rdr like ftp-proxy does, but commits rules into an anchor to allow data connections like ftpsesame does. It can handle all types of NAT, IPv6 and all types of FTP. I guess the last one is best for your situation. While it is available at: http://www.sentia.org/downloads/pftpx-0.8.tar.gz the last and best version is in OpenBSD cvs in src/usr.sbin/ftp-proxy It's not connected to the build yet though, so it's not available in snapshots. I can also not tell if it will make OpenBSD 3.8 or not. Hope that sheds some light in the already confusing world of FTP. :-) -- Cam
