Article delegate-en/4554 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4553@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: FTP extended passive mode issues
08 Sep 2009 08:35:31 GMT Sebastien Barbereau <pzaiqbdyi-ytjem447qmlr.ml@ml.delegate.org>
ECMWF


Hello,
first off thanks for the quick answer and the excellent product.

Concerning the 'why' we want to disable the  EPSV (you ar right it's not
the xdc but extended passive):
Our proxy sits on a dedicated DMZ of our firewall. For some reasons the
firewall doesn't seem to interpret the EPSV command in some
circumstances. In other words:
- from proxy to internet EPSV works
- from hosts on a different network as the proxy via the ftp-proxy (and
through the firewall): doesnt work. I can event see the packets of the
extended connection being rejected by the firewall.
This makes me think that the firewall has a problem to handle the EPSV
command parameters when they come from the proxy. The most obvious and
immediate change for me is to disable EPSV at the proxy level for the
clients. (In a second phase trying to get the FW vendor to acknowledge
the problem and solve it).

I can confirm that nopasv:cl does solve the problem but I didnt yet had
a chance to test your patch.  I will do so as soon as possible.

Cheers,
Seb.



Yutaka Sato wrote:
>  |we are encountering a small problem when using delegated as ftp proxy
>  |server for outgoing connections.
>  |We want to disable the extended passive mode for the clients,
>
> Why?
>
>  |to do this
>  |we are trying to use the noxcd as FTPCONF option.
>
> FTPCONF=noxdc is to suppress "MODE XDC" which is used just between
> two DeleGates.
> Maybe you are mentioning about the "EPSV" command.
>
>  |But it seems not to be working, or at least not to do what I thought.
>  |Our clients still continue to try to use extended passive mode (which
>  |brings up issues with the firewall).
>
> Does the firewall not support or reject EPSV?
> As far as I know EPSV is more firewall friendly than PASV.
>
>  |The only difference is that the
>  |proxy ftp banner does not advertise XDC anymore.
>
> You can suppress both PASV and EPSV with FTPCONF="nopasv" but it will
> not be desired behavior.  The enclosed patch adds a new switch
>
>   FTPCONF="noepsv"
>
> which disables the announcement of EPSV to the client's FEAT command.
>
> Cheers,
> Yutaka
> --
>   9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( ~ )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller
>
> *** dist/src/delegate9.9.5-pre6/src/ftp.c	Fri Aug 21 03:56:25 2009
> --- ./src/ftp.c	Tue Sep  8 17:02:20 2009
> ***************
> *** 71,76 ****
> --- 71,77 ----
>   	int	fc_chokedata;
>   	int	fc_noxdcSV;	/* don't use XDC with server */
>   	int	fc_noxdcCL;
> + 	int	fc_noepsvCL;
>   	int	fc_nopasvSV;	/* don't use PASV with server */
>   	int	fc_nopasvCL;
>   	int	fc_noportSV;
> ***************
> *** 378,383 ****
> --- 379,387 ----
>   	if( strcaseeq(what,"CHOKEDATA") ){
>   		FCF.fc_chokedata = atoi(val);
>   	}else
> + 	if( strcaseeq(what,"NOEPSV") ){
> + 		if( *val == 0 || strcaseeq(val,"cl") ) FCF.fc_noepsvCL = 1;
> + 	}else
>   	if( strcaseeq(what,"NOPASV") ){
>   		if( *val == 0 || strcaseeq(val,"sv") ) FCF.fc_nopasvSV = 1;
>   		if( *val == 0 || strcaseeq(val,"cl") ) FCF.fc_nopasvCL = 1;
> ***************
> *** 2182,2187 ****
> --- 2186,2192 ----
>   	}
>   	fprintf(tc," SIZE\r\n");
>   	if( !FCF.fc_nopasvCL )
> + 	if( !FCF.fc_noepsvCL )
>   		fprintf(tc," EPSV\r\n");
>   	if( !FCF.fc_noportCL )
>   		fprintf(tc," EPRT\r\n");
>   

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V