Article delegate-en/4557 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4555@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: FTP extended passive mode issues
09 Sep 2009 13:37:29 GMT Sebastien Barbereau <pzaiqbdyi-fjxi26hzzhtr.ml@ml.delegate.org>
ECMWF


Hi,
I've tried the patch but this doesnt do the job. While it recognizes the
"noepsv:cl" command it doesnt do anything about it. Using your code for
"nopasvcl" i've added a few lines of code:

--- delegate9.9.5-pre7/src/ftp.c    2009-09-08 08:02:20.000000000 +0000
+++ delegate9.9.5-pre7sb/src/ftp.c    2009-09-09 13:19:16.000000000 +0000
@@ -5546,6 +5546,10 @@
         sprintf(resp,"500 PASV is disabled.\r\n");
         goto EXIT;
     }
+    if( FCF.fc_noepsvCL ){
+        sprintf(resp,"500 EPSV is disabled.\r\n");
+        goto EXIT;
+    }
 
     /* cannot accept multiple times via SOCKS */
     if( tc != NULL )

This does the trick (at least for me). If the client attempts some EPSV
he gets rejected, then he tries on PASV and gets through.

> ftp 10.10.10.11
Trying 10.10.10.11...
Connected to 10.10.10.11.
220- 10.10.10.11 PROXY-FTP server (DeleGate/9.9.5-pre7) ready.
220-   @ @
220-  ( - ) { DeleGate/9.9.5-pre7 (September 9, 2009) }
220- AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165, H18PRO-443
220- Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
220- Copyright (c) 2001-2009 National Institute of Advanced Industrial
Science and Technology (AIST)
220- WWW: http://www.delegate.org/delegate/
220- --
220- You can connect to a SERVER by `user' command:
220-    ftp> user username@SERVER
220- or by `cd' command (after logged in as an anonymous user):
220-    ftp> cd //SERVER
220- Cache is enabled by default and can be disabled by `cd .' (toggle)
220- This (proxy) service is maintained by 'syc@ecmwf..'
220-
220-extended FTP [MODE XDC][XDC/BASE64]
220 
Name (proxya-int:syc): anonymous@free..fr
331 Password required for anonymous.
Password:
230-- PASS for anonymous@free..
 220 Welcome to ProXad FTP server
 331 Please specify the password.
230- Login successful.
230--  @ @ 
230  \( - )/ -- { connected to `ftp.free.fr' }
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 EPSV is disabled.
500 EPSV is disabled.
200 PORT command successful [translated to PASV by DeleGate].
150 Here comes the directory listing.
lrwxrwxrwx    1 ftp      ftp            28 Sep 27  2007 MPlayer ->
mirrors/mplayerhq.hu/MPlayer
drwxr-xr-x    2 ftp      ftp          4096 May 07  2008 awstats
drwx------    2 ftp      ftp         16384 Mar 08  2006 lost+found
drwxr-xr-x    3 ftp      ftp          4096 Jul 10  2008 mirrors
drwxr-xr-x    2 ftp      ftp          4096 Dec 24  2008 nzb
drwxr-xr-x    9 ftp      ftp          4096 May 26 12:00 pub
drwxr-xr-x    2 ftp      ftp        589824 Sep 08 22:30 stats
drwxr-xr-x    2 ftp      ftp          4096 Sep 09 13:35 tmp
226 Directory send OK.
ftp> ^D
221 Goodbye.

Let me know if i'm completely wrong.
Cheers,
Seb.



Yutaka Sato wrote:
> Hi,
>
> In message <_A4554@delegate-en.ML_> on 09/08/09(17:35:22)
> you Sebastien Barbereau <pzaiqbdyi-fjxi26hzzhtr.ml@ml.delegate.org> wrote:
>  |Concerning the 'why' we want to disable the  EPSV (you ar right it's not
>  |the xdc but extended passive):
>  |Our proxy sits on a dedicated DMZ of our firewall. For some reasons the
>  |firewall doesn't seem to interpret the EPSV command in some
>  |circumstances. In other words:
>  |- from proxy to internet EPSV works
>  |- from hosts on a different network as the proxy via the ftp-proxy (and
>  |through the firewall): doesnt work. I can event see the packets of the
>  |extended connection being rejected by the firewall.
>  |This makes me think that the firewall has a problem to handle the EPSV
>  |command parameters when they come from the proxy. The most obvious and
>  |immediate change for me is to disable EPSV at the proxy level for the
>  |clients. (In a second phase trying to get the FW vendor to acknowledge
>  |the problem and solve it).
>
> I see.
>
>  |I can confirm that nopasv:cl does solve the problem but I didnt yet had
>  |a chance to test your patch.  I will do so as soon as possible.
>
> I uploaded 9.9.5-pre7 including the patch for FTPCONF="noepsv:cl".
>
> Cheers,
> Yutaka
> --
>   9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( ~ )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller
>
>   

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V