On Mon, Apr 15, 2013 at 1:54 PM, Kimmo Paasiala <kpaas...@gmail.com> wrote: > On Mon, Apr 15, 2013 at 1:50 PM, Lev Serebryakov <l...@freebsd.org> wrote: >> Hello, Kimmo. >> You wrote 15 апреля 2013 г., 14:47:24: >> >> KP> I'm however talking about an ftp client behind a very restrictive >> KP> firewall making an IPv6 connection an ftp server that uses passive >> KP> mode data ports that can't be known in advance. >> Same solution -- inspection of connections to 21 port, without any >> address translation. And if FTP server uses non-standard control >> port, yes, here is a problem, but it cannot be solved with NAT too >> (or your NAT/firewall should expect each and every connection for FTP >> commands, which is heavy and error-prone task). >> > > Mmm, are you thinking of the way Linux iptables handles this scenario > with a kernel mode helper? I don't think any of the three packet > filters in FreeBSD has a functionality like that yet. > > -Kimmo
To elaborate on this, Linux iptables has a "related" qualifier for rules and the "related" traffic is identified by kernel mode helpers, ftp is one example for their use. -Kimmo _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
