add example using per-user pf rules to allow backchannel connections

to the proxy.
author: beck <beck@openbsd.org> 2002-06-08 23:49:35 +0000
committer: beck <beck@openbsd.org> 2002-06-08 23:49:35 +0000
commit: 605990207c1a8ff75919f9649c26ffc78bb3f7fc (patch)
tree: bddfd79aaca20a1a8e8e007d5fe125beccb1edae /libexec/ftp-proxy
parent: Take advantage of sysctls for stats --- not in use, as we need the (diff)
download: wireguard-openbsd-605990207c1a8ff75919f9649c26ffc78bb3f7fc.tar.xz
wireguard-openbsd-605990207c1a8ff75919f9649c26ffc78bb3f7fc.zip
1 files changed, 9 insertions, 1 deletions
diff --git a/libexec/ftp-proxy/ftp-proxy.8 b/libexec/ftp-proxy/ftp-proxy.8
index 5b7e7f60943..109a56b40ea 100644
--- a/libexec/ftp-proxy/ftp-proxy.8
+++ b/libexec/ftp-proxy/ftp-proxy.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ftp-proxy.8,v 1.17 2002/05/23 10:22:14 deraadt Exp $
+.\"	$OpenBSD: ftp-proxy.8,v 1.18 2002/06/08 23:49:35 beck Exp $
 .\"
 .\" Copyright (c) 1996-2001
 .\"	Obtuse Systems Corporation, All rights reserved.
@@ -187,6 +187,14 @@ statefully (assuming xl1 is the external interface):
 block in on xl1 proto tcp all
 pass  in on xl1 proto tcp from any to xl1 port > 49151 keep state
 .Ed
+.Pp
+Alternatively, rules make use of the fact that by default,
+.Nm ftp-proxy
+runs as user "proxy" to allow the backchannel connections, as in the following example:
+.Bd -literal
+block in on xl1 proto tcp all
+pass  in on xl1 proto tcp from any to xl1 user proxy keep state
+.Ed
 .Sh SEE ALSO
 .Xr ftp 1 ,
 .Xr hosts.allow 5 ,
author	beck <beck@openbsd.org>	2002-06-08 23:49:35 +0000
committer	beck <beck@openbsd.org>	2002-06-08 23:49:35 +0000
commit	605990207c1a8ff75919f9649c26ffc78bb3f7fc (patch)
tree	bddfd79aaca20a1a8e8e007d5fe125beccb1edae /libexec/ftp-proxy
parent	Take advantage of sysctls for stats --- not in use, as we need the (diff)
download	wireguard-openbsd-605990207c1a8ff75919f9649c26ffc78bb3f7fc.tar.xz wireguard-openbsd-605990207c1a8ff75919f9649c26ffc78bb3f7fc.zip