Date: Thu, 21 Jun 2007 01:18:23 +0300 From: Cristian KLEIN <cristi@net.utcluj.ro> To: freebsd-net@freebsd.org Subject: ftp-proxy broken by recent Firefox Message-ID: <4679A7AF.1070900@net.utcluj.ro>
next in thread | raw e-mail | index | archive | help
Hi everybody, I have a very restrictive NAT gateway. In order to provide outside FTP access, I use FreeBSD 5.4 + PF + ftp-proxy. All clients are transparently redirected to ftp-proxy, and both active and passive mode used to work just fine. Packets are allowed if they are to/from user proxy, so, even though FTP uses random ports, I have full control over the traffic. Anyway, Firefox users were very happy. This used to be a happy configuration, until "somebody" thought that breaking the FTP RFC is a small sacrifice against paranoic security. http://www.mozilla.org/security/announce/2007/mfsa2007-11.html The following happens: Firefox is only able to do passive FTP. When ftp-proxy receives the PASV command, it will return a data channel IP which is different from the control channel IP. This is perfectly fine, and RFCs regarded this as a feature. However, newer Firefox-es treat this as an attack, and ignore the data channel IP and attempt to connect to the same IP as the control channel. This of course fails. Does anybody have a transparent solution to this problem? I tried using "ftp-proxy -n" but due to the random nature of FTP data channel ports, it is impossible to keep the gateway restricted while offering flawless FTP service.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4679A7AF.1070900>