[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: Re: ftp-proxy and pf]




Hi there.
I tried all the ftp-proxy versions and all the possible options in inetd.conf. ftp-proxy and PF Doesn't not work with "Restrict FTP clients" in Active mode.
please if someone has a options to make "restricted FTP clients" behind NAT with pf please let me know.


Thanks
Marcos Biscaysaqu
ThePacific.net

Peter Fraser wrote:

After reading the ftp rfc's (959 and 1123) I don't understand
how ftp-proxy can work without support of pf, and any
ftp client that works in active mode with the current ftp-proxy
is in  violation of these rfc's.

In particular section 3.2 of rfc949 and 4.1.2.12 of rfc1123
together say that the data from an active ftp connection
must come from port ftp-data and the IP address of the
control channel( i.e. the IP address the ftp open command)

pf needs to be involved because ftp-proxy could rewrite the
IP address and port of the data connection before sending it
on the ftp client, but with out pf redirecting the return packets, ftp proxy would not see answering packets
from the client on the data connection.