List Info

Thread: ftp-proxy and route-to
ftp-proxy and route-to
country flaguser name
Belgium		 2008-03-07 13:56:19 
Hi all,

I'm trying to send some outgoing traffic via a second
internet 
connection. Traffic like http works ok, I can use route-to
in
the rules to send the traffic out on the correct interface
and
nat to the correct public ip. But I can't get this to work
for
ftp-proxy.

The ftp-proxy man page says I need a rule like:
  pass out proto tcp from $proxy to any port 21
but those connections are always going out on the interface
of the default route. Is it possible to make those
connections go out on another interface ?

Also I think I would need a route-to and reply-to in the
anchor
rules created by ftp-proxy. Is this possible ?

Thanks for any help.

regards,
   Kurt

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: ftp-proxy and route-to
user name
 2008-03-11 05:45:53 
On Sat, Mar 8, 2008 at 1:26 AM, Kurt Dethier
<kurt-list-freebsdandrome.com> wrote:
> Also I think I would need a route-to and reply-to in
the anchor
> rules created by ftp-proxy. Is this possible ?

pfSense (a firewall based on FreeBSD) has the following
pftpx patch that will
let you do what you need.  You can pass the route-to
interface/gateway IP addr
in the command line.  You can find pftpx-routeto here:

http://cvs.pfsense.org/cgi-bin/cvs
web.cgi/tools/pfPorts/pftpx-routeto/#dirlist

You'll need to run a separate of pftpx-routeto instance for
every WAN interface
on your box and round-robin your ftp traffic from your LAN
interface to each
pftpx-routeto instance.  I have this setup working nicely on
my FreeBSD 6.2
machine.


The ftp-proxy author is not interested in accepting this
patch stating that
routing decisions must not be decided by user space apps and
should
remain within the kernel.

That said, he's come up with a clever solution --
implemented in ftp-proxy
found in OpenBSD 4.2 -- ftp-proxy can include custom pf tags
in the rules it
automatically inserts.  You can then match tagged packets in
later pf rules
and route the ftp traffic over appropriate links.

Note that as before, you'll need a separate instance of
ftp-proxy tagging
for every WAN interface on your box.

Let me know if you require any further help.

- Raja
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )