Any serious production servers yet?
Dmitri Nikulin
dnikulin at gmail.com
Tue May 30 15:30:12 PDT 2006
On 5/31/06, Jeremy C. Reed <reed at xxxxxxxxxxxxx> wrote:
> If some of the devs could do porting ftp-proxy (formerly pftpx) and
> ftpsesame I would switch immediately. Consider this as an argument. :-P
Both are available via pkgsrc. ftp-proxy is in the pkgsrc/security/pflkm
package. I didn't check if it was the newer pftpx rewrite though.
And ftpsesame is at pkgsrc/wip/ftpsesame.
Hold on... I've been using ftp-proxy on DragonFly systems since it
first got pf. It's always been in the base package, and its binary has
been in /usr/libexec/ftp-proxy. The only difference I can find from
the NetBSD version is that it has no 'pf/ipfilter' distinction modes.
I don't know how the OpenBSD one works.
At the very least, I have never needed to resort to pkgsrc to do FTP
proxying with pf in DragonFly. Also, the minor difficulty in not being
able to target 127.x.y.z is not as bad as it sounds, as long as you
can actually bind the server to something else. The filter should take
care of the security aspect.
And yes, the whole setup is remarkably stable under DragonFly in UP
and SMP rigs. I've had one repeated panic with pf in an SMP
environment but it was declawed by turning off normalization in the
rule set. Once the rest of the network stack is properly MPSAFE it'll
be difficult to recommend anything *but* DragonFly for a high-load
firewall or server.
-- Dmitri Nikulin
More information about the Users
mailing list