[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Fwd: Re: ftp-proxy and pf]
I tried all the ftp-proxy versions and all the possible options in
inetd.conf. ftp-proxy and PF Doesn't not work with "Restrict FTP
clients" in Active mode.
please if someone has a options to make "restricted FTP clients" behind
NAT with pf please let me know.
Peter Fraser wrote:
After reading the ftp rfc's (959 and 1123) I don't understand
how ftp-proxy can work without support of pf, and any
ftp client that works in active mode with the current ftp-proxy
is in violation of these rfc's.
In particular section 3.2 of rfc949 and 188.8.131.52 of rfc1123
together say that the data from an active ftp connection
must come from port ftp-data and the IP address of the
control channel( i.e. the IP address the ftp open command)
pf needs to be involved because ftp-proxy could rewrite the
IP address and port of the data connection before sending it
on the ftp client, but with out pf redirecting the
return packets, ftp proxy would not see answering packets
from the client on the data connection.