Re: PF and ftp: to use or not to use ftp-proxy ?
On 2012-06-26, Илья Шипицин chipits...@gmail.com wrote: match in inet proto tcp from any port = ftp-data to $external port 1024:65535 rdr-to $internal port 1024:65535 You know people can choose their own source port number? It's just as safe to do from any to $external port 1024:65535...
PF and ftp: to use or not to use ftp-proxy ?
Hello! I managed to get ftp through PF working either without ftp-proxy ... match in inet proto tcp from any to $external port = ftp rdr-to $internal port 21 match in inet proto tcp from any port = ftp-data to $external port 1024:65535 rdr-to $internal port 1024:65535 match in inet proto tcp from any to $external port = ftp-data rdr-to $internal port 20 or with ftp-proxy... pass in quick on vlan5 inet proto tcp from any to $external port ftp divert-to 127.0.0.1 port 8021 /etc/rc.local: /usr/sbin/ftp-proxy -p 8021 -R $internal -P 21 -D7 -v I asked question is it possible to use multiple intances of ftp-proxy and it turned out that several people are running reverse ftp-proxy in production. so... can anybody help me to choose between two above options ? with ftp-proxy or without ftp-proxy ? Cheers, Ilya Shipitsin
Re: PF and ftp: to use or not to use ftp-proxy ?
On Tue, 26 Jun 2012 14:51:35 +0600 Илья Шипицин chipits...@gmail.com wrote: Hello! I managed to get ftp through PF working either without ftp-proxy ... match in inet proto tcp from any to $external port = ftp rdr-to $internal port 21 match in inet proto tcp from any port = ftp-data to $external port 1024:65535 rdr-to $internal port 1024:65535 match in inet proto tcp from any to $external port = ftp-data rdr-to $internal port 20 or with ftp-proxy... pass in quick on vlan5 inet proto tcp from any to $external port ftp divert-to 127.0.0.1 port 8021 /etc/rc.local: /usr/sbin/ftp-proxy -p 8021 -R $internal -P 21 -D7 -v I asked question is it possible to use multiple intances of ftp-proxy and it turned out that several people are running reverse ftp-proxy in production. so... can anybody help me to choose between two above options ? with ftp-proxy or without ftp-proxy ? Your solution without ftp-proxy won't work when other services expect incoming tcp connections in the high ports range. ftp-proxy will only open and forward ports that have been negotiated in the ftp control connection. This is safer and will not interfere with other services. Use ftp-proxy. Christopher
