On Mon, Jul 18, 2005 at 12:10:41PM -0400, Daniel T. Staal wrote: > > I'm not to interested in exact rules at this point; I can figure those > out. I'm just looking for what people think is the best way to use the > tools to do the job: least ports opened, least hassle, least resources, > etc. > > From a scan of the man pages, ftpsesame looks to be able to handle just > about everything except active client connections, and ftp-proxy seems to > be able to handle everything major, but requires a lot of ports open.
as far as Just Work, i'ven't had any issues with ftp-proxy over the past years. i use just two rules in pf.conf (one for the rdr, the other because i don't "rdr pass"). the 'pass on...' rule is specific to 'inet proto tcp <blahblah> user proxy'. i use '-M' and '-m' to limit the range of ports that the proxy will attempt to use, but in actuality that doesn't provide me much value, so i'm going to get rid of that after i send this out (was one of those things i twiddled early on because i thought i had some reason to do it)... i also use '-n'. active and passive both work. took me a little bit to digest the practical meaning of '-n', and i didn't know of ftpseasame prior to getting ftp-proxy to work. ftpseasame has come up several times on the lists, but in my topology, if don't have any compelling reason to convert from a util in base to a util in ports, it's easier to just leave good-enough alone. one less thing to worry about. jared - [ openbsd 3.7 GENERIC ( jun 25 ) // i386 ]
