Paul B. Henson wrote:
> On Wed, 12 Jun 2002, Jefferson Ogata wrote:
>
>>The FTP proxy doesn't theoretically require an IP address. It just sits
>>inline and adds rules as it observes PORT commands. It may not work,
>>but there's no reason it couldn't work theoretically in a bridge
>>configuration.
>
> exactly. In fact, I wouldn't even consider this a proxy per se. It is not
> really a man in the middle so much as an observer. It's only job is to
> monitor the data flow and add a dynamic rule so the active FTP connection
> back to the client succeeds. It does not intercept or modify the content of
> the exchange and has no active role.
Nevertheless, in the parlance of IP Filter, it's a "proxy", as in:
map iprb0 192.168.0.0/24 -> 0/0 proxy port ftp ftp/tcp
And of course, it *does* intercept the content, though it will not modify it
in this particular case. I don't use OpenBSD in bridging mode, so I don't know
whether this works with IP Filter or not, but there's no theoretical reason it
can't.
--
Jefferson Ogata <[EMAIL PROTECTED]>
NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
