[ previous ] [ next ] [ threads ]
 From:  "Sancho2k.net Lists" <lists at sancho2k dot net>
 To:  Braden McGrath <braden at mcmail dot homeip dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PASV FTP
 Date:  Wed, 30 Mar 2005 19:40:42 -0700
Braden McGrath wrote:
 >>Otherwise, you may look at a packet filtering software that
>>"properly handles stateful masquerading."
> To clarify though... M0n0 handles stateful masquerading just fine.  It
> just doesn't handle some forms of stateful FTP masquerading, because to
> do so requires the firewall to basically rewrite FTP control packets as
> they come through.  It's an added load to the CPU, and it adds to the
> size of the firewall, both of which are enemies on m0n0.
> As others mentioned, with OpenBSD's pf, you get an "ftp-proxy" program
> that handles rewriting... on the CLIENT side.  It does this to make
> *active* FTP work with less hassle on the client side.
> I don't know how it would function if you tried to pass server-bound
> traffic through it though.

ftp-proxy is not designed for proxying FTP to servers, so it wouldn't apply.

pf however does work fine with the packet mangling involved in rewriting
the FTP traffic when sending control/data connections to a translated
address, including AFAIK port-translated addresses (port forwarding as
opposed to 1:1); hence why my FTP server on a private address can
recieve passive connections from the Internet just fine. (And thus no
need for ftp-proxy to have to try to work the other way around.)

Working around firewall "unfriendly" protocols such as FTP, IRC's DCC,
and other brainless apps are one sign of a well designed *modern* packet
filter. Even PIX manages to provide fixups.