Hi,
Matt Rowley wrote:
As far as I know, this only applies to _active_ ftp, about which I am
not concerned at the moment.
Ah yes... that's what I get for doing e-mail at 6am. :-/
no bother.
Your problem description seems to imply that you have a block out all and
that you're only allowing selet outbound traffic. In which case you would
Yes, that is true.
need to either open (for outbound, stateful traffic) all the ephemeral ports
that is what I was afraid of. To be honest, I would not like to do that.
that ftp-proxy uses for outbound stateful traffic, or you could probably
reverse the rule I gave you and do pass out from user proxy keep state.
The problem here (at least to my understanding) is that not the proxy
tries to handle all the connections, but the client still needs to
contact the ftp server directly. This seems different to how 'frox'
works, for example, where the client actually established one connection
to the proxy and anything else is then done by the proxy exclusively.
One workaround I was thinking of is to use a pf-route-to rule to route
all ftp traffic to a separate frox server. However, I thought there must
be a way seting up a transparent ftp proxy with native openbsd tools...
Thanks,
--
Stephan A. Rickauer
Institut f|r Neuroinformatik
Universitdt / ETH Z|rich
Winterthurerstriasse 190
CH-8057 Z|rich
Tel: +41 44 635 30 50
Sek: +41 44 635 30 52
Fax: +41 44 635 30 53
http://www.ini.ethz.ch