Problem with ftp-proxy
Mark Felder
feld at feld.me
Tue Jun 18 11:32:57 UTC 2013
On Tue, 18 Jun 2013 06:11:43 -0500, Rainer Duffner
<rainer at ultra-secure.de> wrote:
> Hi,
>
>
> I use ftp-proxy, together with the patch that starts multiple instances:
>
I recommend avoiding ftp-proxy and setting up static rules that you know
will work. On our systems in pure-ftpd.conf we set
PassivePortRange 3000 3200
and then on the system's firewall and every firewall in front we pass
through ports 3000-3200. It's a simple solution that's guaranteed to work,
and you don't have to debug what the proxy is doing.
Also, most ftp-proxy software tends to do a very bad job once you start
throwing in FTPES. We see this with customer firewalls all the time. These
firewall services under the guise of "proxys", "fixups", or "Application
Layer Gateways" are just inconsistent and unreliable no matter which
vendor supplies it.
Note, you may have to make the range larger if you expect more than 200
concurrent sessions.
More information about the freebsd-stable
mailing list