On 2012-11-29, Chris Smith <obsd_m...@chrissmith.org> wrote: > On Wed, Nov 28, 2012 at 12:48 PM, Chris Smith <obsd_m...@chrissmith.org> > wrote: >> Looks like skipping ftp-proxy for that target address works. Thanks! > > Is there any way to make this work automagically for ftps? > Right now I'm doing this: >============================ > anchor "ftp-proxy/*" > pass in quick on $int_if inet proto tcp from <int_net> to !$ftps_srvr > port ftp rdr-to 127.0.0.1 port 8021 >============================ > Which works around using ftp-proxy for that particular ftps server. > But is there a way to recognize an ftps attempt and skip ftp-proxy > dynamically? Then one would not need to know the ftps servers IP > address in advance. > > Thanks, > > Chris > >
Not exactly, but you might be able to do something with this, *before* your ftp-proxy rule: pass out quick proto tcp to 0.0.0.0/0 port 8821 rdr-to 0.0.0.0/0 port 21 bitmask Then if you tell your ftp client to connect to port 8821 it would get redirected to port 21 and skip ftp-proxy. You would still need rules to permit data connections as of course the commands in the control connection cannot be inspected (though changing active/passive may help there).
