Hi, I've tried the patch but this doesnt do the job. While it recognizes the "noepsv:cl" command it doesnt do anything about it. Using your code for "nopasvcl" i've added a few lines of code: --- delegate9.9.5-pre7/src/ftp.c 2009-09-08 08:02:20.000000000 +0000 +++ delegate9.9.5-pre7sb/src/ftp.c 2009-09-09 13:19:16.000000000 +0000 @@ -5546,6 +5546,10 @@ sprintf(resp,"500 PASV is disabled.\r\n"); goto EXIT; } + if( FCF.fc_noepsvCL ){ + sprintf(resp,"500 EPSV is disabled.\r\n"); + goto EXIT; + } /* cannot accept multiple times via SOCKS */ if( tc != NULL ) This does the trick (at least for me). If the client attempts some EPSV he gets rejected, then he tries on PASV and gets through. > ftp 10.10.10.11 Trying 10.10.10.11... Connected to 10.10.10.11. 220- 10.10.10.11 PROXY-FTP server (DeleGate/9.9.5-pre7) ready. 220- @ @ 220- ( - ) { DeleGate/9.9.5-pre7 (September 9, 2009) } 220- AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165, H18PRO-443 220- Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI 220- Copyright (c) 2001-2009 National Institute of Advanced Industrial Science and Technology (AIST) 220- WWW: http://www.delegate.org/delegate/ 220- -- 220- You can connect to a SERVER by `user' command: 220- ftp> user username@SERVER 220- or by `cd' command (after logged in as an anonymous user): 220- ftp> cd //SERVER 220- Cache is enabled by default and can be disabled by `cd .' (toggle) 220- This (proxy) service is maintained by 'syc@ecmwf..' 220- 220-extended FTP [MODE XDC][XDC/BASE64] 220 Name (proxya-int:syc): anonymous@free..fr 331 Password required for anonymous. Password: 230-- PASS for anonymous@free.. 220 Welcome to ProXad FTP server 331 Please specify the password. 230- Login successful. 230-- @ @ 230 \( - )/ -- { connected to `ftp.free.fr' } Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 500 EPSV is disabled. 500 EPSV is disabled. 200 PORT command successful [translated to PASV by DeleGate]. 150 Here comes the directory listing. lrwxrwxrwx 1 ftp ftp 28 Sep 27 2007 MPlayer -> mirrors/mplayerhq.hu/MPlayer drwxr-xr-x 2 ftp ftp 4096 May 07 2008 awstats drwx------ 2 ftp ftp 16384 Mar 08 2006 lost+found drwxr-xr-x 3 ftp ftp 4096 Jul 10 2008 mirrors drwxr-xr-x 2 ftp ftp 4096 Dec 24 2008 nzb drwxr-xr-x 9 ftp ftp 4096 May 26 12:00 pub drwxr-xr-x 2 ftp ftp 589824 Sep 08 22:30 stats drwxr-xr-x 2 ftp ftp 4096 Sep 09 13:35 tmp 226 Directory send OK. ftp> ^D 221 Goodbye. Let me know if i'm completely wrong. Cheers, Seb. Yutaka Sato wrote: > Hi, > > In message <_A4554@delegate-en.ML_> on 09/08/09(17:35:22) > you Sebastien Barbereau <pzaiqbdyi-fjxi26hzzhtr.ml@ml.delegate.org> wrote: > |Concerning the 'why' we want to disable the EPSV (you ar right it's not > |the xdc but extended passive): > |Our proxy sits on a dedicated DMZ of our firewall. For some reasons the > |firewall doesn't seem to interpret the EPSV command in some > |circumstances. In other words: > |- from proxy to internet EPSV works > |- from hosts on a different network as the proxy via the ftp-proxy (and > |through the firewall): doesnt work. I can event see the packets of the > |extended connection being rejected by the firewall. > |This makes me think that the firewall has a problem to handle the EPSV > |command parameters when they come from the proxy. The most obvious and > |immediate change for me is to disable EPSV at the proxy level for the > |clients. (In a second phase trying to get the FW vendor to acknowledge > |the problem and solve it). > > I see. > > |I can confirm that nopasv:cl does solve the problem but I didnt yet had > |a chance to test your patch. I will do so as soon as possible. > > I uploaded 9.9.5-pre7 including the patch for FTPCONF="noepsv:cl". > > Cheers, > Yutaka > -- > 9 9 Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/ > ( ~ ) National Institute of Advanced Industrial Science and Technology > _< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan > Do the more with the less -- B. Fuller > >
V