On Fri, Mar 31, 2006 at 12:41:11AM +0700, IMS wrote: > Now I try to write ftp rule, but after reading from many book. > I found that they guide to use ftp-proxy. > But my production site don't allow to use that. > > how could I write rule for ftp?
FTP uses more than a single TCP connection. When an FTP client on your LAN connects to an FTP server on the Internet, it opens the so-called control connection, where it authenticates and issues commands, like LS to list a directory or GET to fetch a file. The result of these commands (the directory listing itself, or the contents of a file to fetch) is not, however, sent back through the same connection. Instead, a second TCP connection is established just for the purpose of transfering that data, the so-called data connection. There are two modes of FTP, passive and active. In passive mode, the data connection is opened from client to server. The server picks a random high port to listen on, tells the client _through the control connection_ what address and port to connect to. This will work without a proxy, if you allow outgoing NATed connections to random high ports. In active mode, data connections are opened from server to client. The client picks a random high port and tells the server what address and port to connect to. This is what breaks due to NAT. The client tells the server to connect to its own unroutable address. First, the server can't connect to it at all, and even if it could reach the NATing firewall, the firewall wouldn't automatically port forward the connection. What you need, for active mode, is some piece that intercepts the advertisement of the address/port the server should connect to, replaces it with the server's external address, and sets up the port forwarding on the firewall. With pf, that's done with ftp-proxy. Other firewalls do this internally. pf doesn't, and won't. We believe this should be done in userland. And our conviction is at least as strong as your site's policy. Live with passive mode only, use the proxy, or switch firewalls :) Daniel
