Date: Thu, 21 Jun 2007 01:18:23 +0300 From: Cristian KLEIN <cristi@net.utcluj.ro> To: freebsd-net@freebsd.org Subject: ftp-proxy broken by recent Firefox Message-ID: <4679A7AF.1070900@net.utcluj.ro>
index | next in thread | raw e-mail
Hi everybody, I have a very restrictive NAT gateway. In order to provide outside FTP access, I use FreeBSD 5.4 + PF + ftp-proxy. All clients are transparently redirected to ftp-proxy, and both active and passive mode used to work just fine. Packets are allowed if they are to/from user proxy, so, even though FTP uses random ports, I have full control over the traffic. Anyway, Firefox users were very happy. This used to be a happy configuration, until "somebody" thought that breaking the FTP RFC is a small sacrifice against paranoic security. http://www.mozilla.org/security/announce/2007/mfsa2007-11.html The following happens: Firefox is only able to do passive FTP. When ftp-proxy receives the PASV command, it will return a data channel IP which is different from the control channel IP. This is perfectly fine, and RFCs regarded this as a feature. However, newer Firefox-es treat this as an attack, and ignore the data channel IP and attempt to connect to the same IP as the control channel. This of course fails. Does anybody have a transparent solution to this problem? I tried using "ftp-proxy -n" but due to the random nature of FTP data channel ports, it is impossible to keep the gateway restricted while offering flawless FTP service.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4679A7AF.1070900>