Hi, I'm not sure whether Ed's idea would be the best way to do it, but it raises a very good question that makes pf sometimes not useful as it should be.
When one setups a firewall, I agree that it can be globally the same whether FTP is transparent proxified through user space proxy or directly managed by the kernel. Both cases can be efficient, and the former is simpler and probably clearer, as it reduces the amount of protocole specific code into the kernel. However, when one does bridge traffic shaping, this is not the same thing at all : proxifying means that your are not bridging any more, using a IP address for the bridge, and so on. I really think it is a very dirty solution. The kernel space solution here is much cleaner, as it is transparent for the firewall administrator. Thus he does not have to take care of the ports used by the FTP protocol. The idea of ftpsesame could be good, but it does not seem to be on the way to inclusion into the tree... I really think the OpenBSD bridge/traffic shaper solution is the best available (by far). But having to proxify FTP or managing FTP data by ports is such a pain in the neck ... Julien
