From owner-freebsd-net@FreeBSD.ORG Wed Jun 20 22:18:29 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9DD9716A400 for ; Wed, 20 Jun 2007 22:18:29 +0000 (UTC) (envelope-from cristi@net.utcluj.ro) Received: from bavaria.utcluj.ro (bavaria.utcluj.ro [193.226.5.35]) by mx1.freebsd.org (Postfix) with ESMTP id 5614913C4BA for ; Wed, 20 Jun 2007 22:18:29 +0000 (UTC) (envelope-from cristi@net.utcluj.ro) Received: from localhost (localhost [127.0.0.1]) by bavaria.utcluj.ro (Postfix) with ESMTP id 842FA50866 for ; Thu, 21 Jun 2007 01:18:27 +0300 (EEST) X-Virus-Scanned: by the daemon playing with your mail on bavaria.utcluj.ro Received: from bavaria.utcluj.ro ([127.0.0.1]) by localhost (bavaria.utcluj.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9KTVNAovZYX for ; Thu, 21 Jun 2007 01:18:24 +0300 (EEST) Received: from [172.27.2.200] (c7.campus.utcluj.ro [193.226.6.226]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by bavaria.utcluj.ro (Postfix) with ESMTP id 406F250865 for ; Thu, 21 Jun 2007 01:18:24 +0300 (EEST) Message-ID: <4679A7AF.1070900@net.utcluj.ro> Date: Thu, 21 Jun 2007 01:18:23 +0300 From: Cristian KLEIN Organization: Data Communication Center - Technical University of Cluj-Napoca User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: freebsd-net@freebsd.org X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: ftp-proxy broken by recent Firefox X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jun 2007 22:18:29 -0000 Hi everybody, I have a very restrictive NAT gateway. In order to provide outside FTP access, I use FreeBSD 5.4 + PF + ftp-proxy. All clients are transparently redirected to ftp-proxy, and both active and passive mode used to work just fine. Packets are allowed if they are to/from user proxy, so, even though FTP uses random ports, I have full control over the traffic. Anyway, Firefox users were very happy. This used to be a happy configuration, until "somebody" thought that breaking the FTP RFC is a small sacrifice against paranoic security. http://www.mozilla.org/security/announce/2007/mfsa2007-11.html The following happens: Firefox is only able to do passive FTP. When ftp-proxy receives the PASV command, it will return a data channel IP which is different from the control channel IP. This is perfectly fine, and RFCs regarded this as a feature. However, newer Firefox-es treat this as an attack, and ignore the data channel IP and attempt to connect to the same IP as the control channel. This of course fails. Does anybody have a transparent solution to this problem? I tried using "ftp-proxy -n" but due to the random nature of FTP data channel ports, it is impossible to keep the gateway restricted while offering flawless FTP service.