Jordi Espasa Clofent wrote: > The scenario: bridged-based PF box with ftpsesame. OpenBSD 4.2, > production environment. A lot of of FTP concurrents sessions. > > 1. The last goal is make possible active and passive FTP client > connections AND do it with best performance (using symon I see that the > ftpsesame processes are slowly sometimes).
It uses a lot of CPU you mean? Do you have a lot of activity on port 21? (lots of small transfers maybe?). Note that ftpsesame doesn't have anything to do with the actual FTP data transfers, it just takes care to insert PF rules that allows those, after that is all kernel. > At present moment, I use the next rules: > > # FTP passive > anchor "ftpsesame/*" in on $bridge proto tcp from any to <ftp_servers> > anchor "ftpsesame/*" out on $bridge proto tcp from any to <ftp_servers> > > # FTP active > anchor "ftpsesame/*" in on $bridge proto tcp from <ftp_servers> to any > anchor "ftpsesame/*" out on $bridge proto tcp from <ftp_servers> to any > > pass quick on $bridge inet proto tcp from any to <ftp_servers> port 21 > > I don't want to control any outbound connection (indeed I've a nice > 'pass quick all' rule), so... ¿are these rules the best in relation to > performance issues? That's all fine. > 2. ftpsesame works fine, great app. I see it's a 0.95 version... and > this version was made for OpenBSD 3.6. I suppose the program has not > changed because the anchors treatment is the same in 3.6 as 4.2/4.3. ¿Am > I right? Currently I use ftpsesame in production environment, so will be > very unpleasant to upgrade from 4.2 to 4.3 and discover that ftpsesame > not works... Should work, if it doesn't contact me. :-) I can vouch for OpenBSD 4.0. > ¿Is ftpsesame actively developed/supported nowadays? Sure, but it has not been needed the last 3 years...
