[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ftpsesame and pf.conf



On Tue, 23 Mar 2004, Russell Fulton wrote:
> I'm about to try out ftpsesame on our firewall.  The system is set up
> as a bridge and I only filter on $ext_if.
> 
> I intend running ftpsesame as > ftpsesame  -i $ext_if
>
> # ftp rules
> anchor ftpsesame out on $ext_if
> pass in quick on $ext_if proto tcp from any to (<ftpc_in> port=21 flags S/SA modulate state
> anchor ftpsesame in on $ext_if proto tcp from any to <ftpc_in>
>                                                                                                                                                              
> I want ftpsesame to handle all outbound and inbound ftp traffic. 
> 
> Outbound we have other rules which control whether particular addresses
> have internet access on not,
> Inbound we have a table <ftpc_in> which lists all addresses on campus
> that have inbound access on port 21.
> 
> Will this do what I want?
To be sure: <ftpc_in> contains _servers_ that can be accessed from the 
internet right?
Then yes, this will work ok to allow active and passive mode to the 
servers listed in <ftpc_in>.
However, if you allow ftp from campus users to the internet, active mode 
will not work.
You might want to consider the more general:
anchor ftpsesame on $ext_if proto tcp all