[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ftp throu transparent filtering bridge



Hi Guys,
an excusse for my question:
I am relativelly new to the OpenBSD (and PF) though not so the other 
firewall/filtering/nating :)
   Now, few days ago I've set up a transparent bridge on freshly 
installed OpenBSD 3.6 (my experience with OpenBSD started with 3.5 used 
as a desktop, just to learn the system, then I've just red about PF, not 
actually used it). And I did my homework and read some info from OpenBSD 
and around. Setting it up was therefore very easy now it's time for 
problems.
   At first I did it almost completely open from within and almost 
completely blocking from without. And it worked like charm. Now I'd like 
to get it more blocking also from within, just in case some of my users
(I am at one of the departments at the university) gets too smart and 
would like to start bothering others.
   One of the valid things (with other ones not problems whatsoever :) 
for me is trying to get something from without via ftp but there is some 
problem and therefore the question. And I didn't find my answer in other 
docs :(
  As the bridge is completely transparent and without ANY IP number on 
any of the two cards I cannot solve my ftp problem via local ftp-proxy 
solution descibed in the documentation. Also setting simple rules like:
pass in quick on $ext_if proto tcp from { $local } to any port = \
  ftp-data flags S/SA keep state
pass in quick on $ext_if proto tcp from { $local } to any port = \
  ftp  flags S/SA keep state
gets mefro a client behind the bridge to the server outside (I even get 
banners/readmes) but any dir/ls gets back to me.
   Are there any smarted solutions I haven't found yet? I know that 
linux's iptables make use of special connection tracking module for ftp 
to handle that problem but ... is there anything like this for OpenBSD?
If things like this are solvable shouldn't the solutions find the way to 
the bridging part of FAQ? I'd suggest so very strongly :)
Best regards
Romek