I have an idea.. Dunno if anyone else has suggested tried or shot it down previously. I'm not a programmer and as such am not sure if this is even possible with PF.
Take this scenario. A client, a firewall, and an external host. An active mode FTP client connects from source port N through the firewall to the external host on port 21. The firewall is inspecting all outbound traffic on port 21 and watching for the PORT command. The client sends a PORT N+1 command to the server. The firewall which is monitoring this picks up the PORT N+1 and automatically inserts a hole into the firewall which permits traffic from the server on port 20 to the client on port N+1. This would remove the need to run an ftp proxy to handle active mode connections using the client ---> firewall ----> server command port connection client <--- firewall <---- server data port connection Scenario, + would also do away with rules such as pass in quick on $ext_if proto tcp from any port 20 to any port 55000 >< 55100 flags S/SA keep state Which I've seen various people using to handle the return traffic. That's actually the bit I don't like at all. Mainly cause if you're running a transparent bridging firewall ftp-proxy doesn't work. You could do the same for trying to handle passive move FTP connections inbound to a server from an external client... client ---> firewall ----> server command port connection client ---> firewall ----> server data port connection The firewall sees the PASV command and automatically injects a temporary rule to permit the second connection from the client to the server using the correct ports. Just a suggestion. I used to use a sun firewall product called SPF200 which had a similar technology for handling FTP in transparent and routed mode. Cheers, Adrian.
