Re: Redirect to ftp-proxy when client is on localhost?
On Tue, 4 Jul 2006, [EMAIL PROTECTED] wrote: > I like the 3.9 ftp-proxy so much I'm thinking "wouldn't it be nice if, > in addition to the clients inside my lan, ftp connections from this very > openbsd machine went through it also". > > Is this just a silly idea? Is this possible, trivial, tricky? Done > before? I don't think it can be reliably done. It would only be possible if pf(4) supported rdr on outbound packets, which it does not (which is a good thing IMHO; it would create far more problems then it would solve). To use FTP on the local machine rules like below will be prove far more robust (note the "group staff", adjust as needed): pass in on $ext_if from any to $ext_if port > 49151 group staff keep state pass out on $ext_if from $ext_if to any port > 1023 group staff keep state That does not enforce that the FTP protocol is used, but hey, a machine firewalling for a local lan can not have that many untrusted ftp'ing users now can it? :-) -- Cam
Redirect to ftp-proxy when client is on localhost?
Hello, I like the 3.9 ftp-proxy so much I'm thinking "wouldn't it be nice if, in addition to the clients inside my lan, ftp connections from this very openbsd machine went through it also". Is this just a silly idea? Is this possible, trivial, tricky? Done before? I found nada on google, but a freebsd post attempting something similar which suggested that as the initial packet never goes "in" to the ext_if the obvious rdr won't work. Instead it is necessary to snag it with on a 'pass out' rule and use 'route-to' to pipe it back through localhost. Using this technique I can get tcpdump to prove these packets hit the lo0 (although with their initial addresses)... pass out quick route-to (lo0 127.0.0.1) proto tcp from any to any port 21 Great, that was 6 hours. Now to push them through the proxy I'm expecting an rdr similar to the text book example will lead me home. No luck so far... rdr pass on lo0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021 ... just doesn't seem to catch them. I'm expecting ftp-proxy on full debug would have something to say if it was getting them. The last step would presumably be a 'pass out' for anything ftp from user proxy. I'm betting that some bright spark/anal geek has tried this before, and perhaps hope that they can throw me a bone. Otherwise am I just wasting everyone's time and should follow the tried and true path like a good sheep? Thanks, John.