[DeleGate-En] Re: FTP extended passive mode issues
In message <_A4554@delegate-en.ML_> on 09/08/09(17:35:22)
you Sebastien Barbereau <firstname.lastname@example.org> wrote:
|Concerning the 'why' we want to disable the EPSV (you ar right it's not
|the xdc but extended passive):
|Our proxy sits on a dedicated DMZ of our firewall. For some reasons the
|firewall doesn't seem to interpret the EPSV command in some
|circumstances. In other words:
|- from proxy to internet EPSV works
|- from hosts on a different network as the proxy via the ftp-proxy (and
|through the firewall): doesnt work. I can event see the packets of the
|extended connection being rejected by the firewall.
|This makes me think that the firewall has a problem to handle the EPSV
|command parameters when they come from the proxy. The most obvious and
|immediate change for me is to disable EPSV at the proxy level for the
|clients. (In a second phase trying to get the FW vendor to acknowledge
|the problem and solve it).
|I can confirm that nopasv:cl does solve the problem but I didnt yet had
|a chance to test your patch. I will do so as soon as possible.
I uploaded 9.9.5-pre7 including the patch for FTPCONF="noepsv:cl".
9 9 Yutaka Sato <email@example.com> http://delegate.org/y.sato/
( ~ ) National Institute of Advanced Industrial Science and Technology
_< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller