Subject: Re: FTP, pf, and multiple addresses
To: None <tech-net@NetBSD.org>
From: Henning Brauer <firstname.lastname@example.org>
Date: 02/09/2006 17:44:01
* der Mouse <mouse@Rodents.Montreal.QC.CA> [2006-02-08 20:42]:
> > Unless you want to write a passive-ftp-proxy module for pf, (or ipf,
> > or ipfw, or whatever your NAT software is).
> pf. I've considered writing an ftp-proxy that gets addresses right (in
note that ftp-proxy has been replaced in OpenBSD-current and works way
The proxy allows data connections to pass, rewriting and redirecting them
so that the right addresses are used. All connections from the client to
the server have their source address rewritten so they appear to come
from the proxy. Consequently, all connections from the server to the
proxy have their destination address rewritten, so they are redirected to
the client. The proxy uses the pf(4) anchor facility for this.
Assuming the FTP control connection is from $client to $server, the proxy
connected to the server using the $proxy source address, and $port is ne-
gotiated, then ftp-proxy adds the following rules to the various anchors.
(These example rules use inet, but the proxy also supports inet6.)
In case of active mode (PORT or EPRT):
rdr from $server to $proxy port $port -> $client
pass quick inet proto tcp \
from $server to $client port $port flags S/SAFR keep state
In case of passive mode (PASV or EPSV):
nat from $client to $server port $port -> $proxy
pass in quick inet proto tcp \
from $client to $server port $port flags S/SAFR keep state
pass out quick inet proto tcp \
from $proxy to $server port $port flags S/SAFR keep state
Henning Brauer, email@example.com, firstname.lastname@example.org
BS Web Services, http://bsws.de
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...