--As of Monday, July 18, 2005 7:28 PM +0200, Camiel Dobbelaar is alleged to
have said:
On Mon, 18 Jul 2005, Daniel T. Staal wrote:
My setup is fairly simple: I have a NATed home network with several users
and a web host that I serve a couple of websites off of. Ideally, of
course, I'd like everything to Just Work: active and passive, both from
all the clients and to the server. I'm just wondering what parts should
be delegated to which handler, or if some direction/connection should be
left off.
> From a scan of the man pages, ftpsesame looks to be able to handle just
about everything except active client connections, and ftp-proxy seems to
be able to handle everything major, but requires a lot of ports open.
What else should I consider?
Warning: I wrote two of the three available proxies...
There are 3 options (in order of age):
1) ftp-proxy
2) ftpsesame
3) pftpx (but now available in OpenBSD _cvs_ in usr.sbin/ftp-proxy)
I wondered what had happened to pftpx. The last I'd seen of it was the
initial announcement on this list. I followed that address to your site,
and found out about ftpsesame, but I couldn't find pftpx.
ftp-proxy is a "real" proxy. With the help of pf rdr it intercepts the
control connection and opens real (tcp) data connections on the users
behalf. Except if you use the -n mode, where it assumes that passive
connections are allowed globally by the pf ruleset.
ftpsesame use bpf to "sniff" the control connections. To allow the data
connections it commits rules into a special anchor. Advantages: totally
passive, works on a bridge as well. Disadvantages: can not handle NAT
situations well, since it cannot rewrite commands in the control
connection. It can also be racy, eg. that rules are not commited in
time, but that does not seem be a problem in practice.
pftpx uses a combination. It intercepts the control connection with rdr
like ftp-proxy does, but commits rules into an anchor to allow data
connections like ftpsesame does. It can handle all types of NAT, IPv6
and all types of FTP.
I guess the last one is best for your situation.
Thank you muchly. That is just what I was looking for.
While it is available at: http://www.sentia.org/downloads/pftpx-0.8.tar.gz
the last and best version is in OpenBSD cvs in src/usr.sbin/ftp-proxy
It's not connected to the build yet though, so it's not available in
snapshots. I can also not tell if it will make OpenBSD 3.8 or not.
Is it in -current, so that if I upgraded from source I would get it? (I
assume so, or at least that I could pull it down an put it into such a
build.)
Daniel T. Staal
---------------------------------------------------------------
This email copyright the author. Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes. This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---------------------------------------------------------------
