From owner-freebsd-security Thu May 20 11: 4:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from mongoose.slip.net (mongoose.slip.net [207.171.193.14]) by hub.freebsd.org (Postfix) with ESMTP id A584C15238 for ; Thu, 20 May 1999 11:04:48 -0700 (PDT) (envelope-from admin@addr.net) Received: from [209.152.191.146] (helo=comp3.addr.com) by mongoose.slip.net with esmtp (Exim 2.12 #4) id 10kXBV-000416-00 for freebsd-security@freebsd.org; Thu, 20 May 1999 11:04:45 -0700 Message-Id: <4.2.0.37.19990520104919.02a14ee0@mail.addr.com> X-Sender: addr@mail.addr.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Thu, 20 May 1999 11:04:24 -0700 To: freebsd-security@freebsd.org From: "Addr.com Web Hosting" Subject: question about ftpd sercurity feature. Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I have a question regarding a security feature which is build in to the "ftpd" on the FreeBSD system. The feature is that the server will not accept any "PORT" command unless the address matches that of the client. The reason this is a problem is because I am partially proxy-ing the connection, and the client address is that of the proxy, but I don't want the proxy to handle data connections, just have them made directly to the client. In more detail (and I would appreciate any comments/suggestions about this scheme or any alternate scheme you can recommend): We have users distributed among several machines, however, we would like for the users to be able to access their account via a single FTP server. We currently using NFS, however, under heavier loads it becomes unmanageable and unstable. Instead, I have developed a very simple proxy, which queries for the user name and then based on an internal table makes the connection to the correct server, and simply pipes any data from the server to the client, and vice versa. This is were I hit the problem that the server will not establish a data connection to any machine other then the proxy. Of course I can proxy the data connection as well, but if it doesn't cause any security issues, I would much rather just comment that line out of the ftpd server. Thanks in advance, Anthony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message