[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ftp throu transparent filtering bridge

On Tue, Nov 23, 2004 at 11:24:18AM +0100, Roman Marcinek wrote:
>   As the bridge is completely transparent and without ANY IP number on 
> any of the two cards I cannot solve my ftp problem via local ftp-proxy 
> solution descibed in the documentation. Also setting simple rules like:
> pass in quick on $ext_if proto tcp from { $local } to any port = \
>   ftp-data flags S/SA keep state
> pass in quick on $ext_if proto tcp from { $local } to any port = \
>   ftp  flags S/SA keep state
> gets mefro a client behind the bridge to the server outside (I even get 
> banners/readmes) but any dir/ls gets back to me.
Your solution is good with a transparent bridge PF installation. But be
carefull, it works only with FTP in passive mode (connection form client
to server for ftp_data).
>    Are there any smarted solutions I haven't found yet? I know that 
> linux's iptables make use of special connection tracking module for ftp 
> to handle that problem but ... is there anything like this for OpenBSD?
> If things like this are solvable shouldn't the solutions find the way to 
> the bridging part of FAQ? I'd suggest so very strongly :)
No, PF have not application connection tracking (like Iptables
ftp_conntrack). That's why there is an userland ftp-proxy in OpenBSD.
PF devs don't like application (OSI layer 7) connection tracking : for
needs like that, an userland proxy is the solution (according to their
A++ Foxy
Laurent Cheylus <[email protected]> OpenPGP ID 0x5B766EC2