From owner-freebsd-current@freebsd.org Thu Sep 17 18:10:42 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 572743E8EEE for ; Thu, 17 Sep 2020 18:10:42 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BslPq5ZcFz4Nww; Thu, 17 Sep 2020 18:10:39 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id IyMbkNS8NLWW5IyMdkmAYN; Thu, 17 Sep 2020 12:10:36 -0600 X-Authority-Analysis: v=2.4 cv=Z5JSoFdA c=1 sm=1 tr=0 ts=5f63a69d a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=xqWC_Br6kY4A:10 a=kj9zAlcOel0A:10 a=reM5J-MqmosA:10 a=iKhvJSA4AAAA:8 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=F8dUZ4gbueR-rXo86CsA:9 a=CjuIK1q_8ugA:10 a=lLDfmAyjiiwA:10 a=odh9cflL3HIXMm4fY7Wr:22 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [IPv6:fc00:1:1:1::5b]) by spqr.komquats.com (Postfix) with ESMTPS id 588CC10C7; Thu, 17 Sep 2020 11:10:32 -0700 (PDT) Received: from slippy (localhost [127.0.0.1]) by slippy.cwsent.com (8.16.1/8.16.1) with ESMTP id 08HIAWwJ012340; Thu, 17 Sep 2020 11:10:32 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <202009171810.08HIAWwJ012340@slippy.cwsent.com> X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: "Rodney W. Grimes" cc: Cy Schubert , Ed Maste , FreeBSD Current Subject: Re: Deprecating ftpd in the FreeBSD base system? In-reply-to: <202009171753.08HHrjbj014850@gndrsh.dnsmgr.net> References: <202009171753.08HHrjbj014850@gndrsh.dnsmgr.net> Comments: In-reply-to "Rodney W. Grimes" message dated "Thu, 17 Sep 2020 10:53:45 -0700." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 17 Sep 2020 11:10:32 -0700 X-CMAE-Envelope: MS4xfCfb6Cpz7DYj6H2UOWW6qXG3l6dP2OpLbTHkTrY86tnmIzhXX6TMagzrSslNZXoIQLJqyYQMUZWRWbw3b1qBz/tnsDCbnG10ol0DcQmn7C31U7plynuK mQaT+JJedCfBUgqPeL1K5c/CG8jXyVSEDhyknDonbQmQYd1dcmwmMOkmx1WbPwplbm/4ULB8mbhbbCQArwGeJ2VhXlbVb+XnZ2LKVh42sjR14j+n3y+YzCjF VmoxHVq23cnn0iNDVPlSl35cCTD0oCKWQS9ER9elHeSQLAH7nk216uczODZhY8fV X-Rspamd-Queue-Id: 4BslPq5ZcFz4Nww X-Spamd-Bar: + X-Spamd-Result: default: False [1.34 / 15.00]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; MV_CASE(0.50)[]; NEURAL_HAM_LONG(-0.51)[-0.508]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; DMARC_NA(0.00)[cschubert.com: no valid DMARC record]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.38)[-0.380]; NEURAL_HAM_MEDIUM(-0.08)[-0.076]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; SUBJECT_ENDS_QUESTION(1.00)[]; MAILMAN_DEST(0.00)[freebsd-current]; RCVD_IN_DNSWL_LOW(-0.10)[64.59.136.137:from] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Sep 2020 18:10:42 -0000 In message <202009171753.08HHrjbj014850@gndrsh.dnsmgr.net>, "Rodney W. Grimes" writes: > > In message c > > om> > > , Ed Maste writes: > > > FTP is (becoming?) a legacy protocol, and I think it may be time to > > > remove the ftp server from the FreeBSD base system - with the recent > > > security advisory for ftpd serving as a reminder. > > > > > > I've proposed adding a deprecation notice to the man page in > > > https://reviews.freebsd.org/D26447 to start this off. There are a > > > number of ftp servers in ports, and if we're going to remove the base > > > system one we can create a port for it first, as well. > > > > > > Any comments or concerns, please follow up in the code review or in email > her > > > e. > > > > We should also deprecate the FTP client. > > > > I've been advocating removing FTP (and HTTP) from libfetch as well. People > > should be using HTTPS only. (libfetch could support a plugin that might be > > supplied by a port should someone be inclined to write one.) > > All the world is NOT the internet, there are far to many > uses and places that do not need or warrant https, or sftp > to make this type of move. > > It is already become very annoying that certain infustructure > now only supports https for what is data that has no security > concern. > > Please do NOT remove the ftp client, or the ability of fetch > to use ftp or http protocols. > > > > > FTP is firewall unfriendly. > > Passive mode solved that decades ago. Not always, when you have dueling firewalls. When the local firewall allows passive and the remote firewall expects port ftp, i.e. denies ingress data port, you're stuck. I see this all the time. Switching from passive to port ftp will resolve the instance. I see this all the time. Usually due to NAT of ftp to a bastion in the DMZ. Even worse, Checkpoint is doing some funky things with various protocols. FTP-like protocols, like rexec, ftp, and oracle's tns listner are a royal PITA. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org The need of the many outweighs the greed of the few.