From owner-freebsd-security Thu May 20 21:35:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id ABF0615926 for ; Thu, 20 May 1999 21:35:56 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id WAA03309; Thu, 20 May 1999 22:35:47 -0600 (MDT) Message-Id: <4.2.0.37.19990520223517.0468a650@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.37 (Beta) Date: Thu, 20 May 1999 22:35:38 -0600 To: "Addr.com Web Hosting" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: question about ftpd sercurity feature. In-Reply-To: <4.2.0.37.19990520104919.02a14ee0@mail.addr.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Doesn't your proxy munge the PORT command? --Brett At 11:04 AM 5/20/99 -0700, Addr.com Web Hosting wrote: >Hi, > >I have a question regarding a security feature which is build in to the "ftpd" on the FreeBSD system. The feature is that the server will not accept any "PORT" command unless the address matches that of the client. The reason this is a problem is because I am partially proxy-ing the connection, and the client address is that of the proxy, but I don't want the proxy to handle data connections, just have them made directly to the client. >In more detail (and I would appreciate any comments/suggestions about this scheme or any alternate scheme you can recommend): >We have users distributed among several machines, however, we would like for the users to be able to access their account via a single FTP server. We currently using NFS, however, under heavier loads it becomes unmanageable and unstable. Instead, I have developed a very simple proxy, which queries for the user name and then based on an internal table makes the connection to the correct server, and simply pipes any data from the server to the client, and vice versa. This is were I hit the problem that the server will not establish a data connection to any machine other then the proxy. Of course I can proxy the data connection as well, but if it doesn't cause any security issues, I would much rather just comment that line out of the ftpd server. > >Thanks in advance, >Anthony > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message