Hi everybody, I have a very restrictive NAT gateway. In order to provide outside FTP access, I use FreeBSD 5.4 + PF + ftp-proxy. All clients are transparently redirected to ftp-proxy, and both active and passive mode used to work just fine. Packets are allowed if they are to/from user proxy, so, even though FTP uses random ports, I have full control over the traffic. Anyway, Firefox users were very happy.
This used to be a happy configuration, until "somebody" thought that breaking the FTP RFC is a small sacrifice against paranoic security. http://www.mozilla.org/security/announce/2007/mfsa2007-11.html The following happens: Firefox is only able to do passive FTP. When ftp-proxy receives the PASV command, it will return a data channel IP which is different from the control channel IP. This is perfectly fine, and RFCs regarded this as a feature. However, newer Firefox-es treat this as an attack, and ignore the data channel IP and attempt to connect to the same IP as the control channel. This of course fails. Does anybody have a transparent solution to this problem? I tried using "ftp-proxy -n" but due to the random nature of FTP data channel ports, it is impossible to keep the gateway restricted while offering flawless FTP service. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
