On Tue, 26 Jun 2012 14:51:35 +0600 Илья Шипицин <chipits...@gmail.com> wrote:
> Hello! > > I managed to get ftp through PF working either without ftp-proxy ... > > match in inet proto tcp from any to $external port = ftp rdr-to > $internal port 21 > match in inet proto tcp from any port = ftp-data to $external port > 1024:65535 rdr-to $internal port 1024:65535 > match in inet proto tcp from any to $external port = ftp-data rdr-to > $internal port 20 > > > or with ftp-proxy... > > pass in quick on vlan5 inet proto tcp from any to $external port ftp > divert-to 127.0.0.1 port 8021 > > > /etc/rc.local: > > /usr/sbin/ftp-proxy -p 8021 -R $internal -P 21 -D7 -v > > > I asked question is it possible to use multiple intances of ftp-proxy > and it turned out that several people are running reverse ftp-proxy in > production. > so... can anybody help me to choose between two above options ? with > ftp-proxy or without ftp-proxy ? Your solution without ftp-proxy won't work when other services expect incoming tcp connections in the high ports range. ftp-proxy will only open and forward ports that have been negotiated in the ftp control connection. This is safer and will not interfere with other services. Use ftp-proxy. Christopher
