You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Marc Slemko <ma...@znep.com> on 1998/08/03 19:38:22 UTC

mod_proxy/2770: FTP proxy over firewall fails (fwd)

Erm... I would suggest that they just shouldn't do that and that their
firewall config is broken.  Even when things are changed to do what they
suggest, they say it doesn't work right so I'm not sure the sense of
changing them.

Either the proxy has to be able to open a connection to the server for the
data transfer or the server has to be able to open a connection to the
proxy.  Period.

---------- Forwarded message ----------
Date: 3 Aug 1998 16:48:02 -0000
From: Andreas Pflug <Pf...@It-Warehouse.DE>
To: apbugs@hyperreal.org
Subject: mod_proxy/2770: FTP proxy over firewall fails


>Number:         2770
>Category:       mod_proxy
>Synopsis:       FTP proxy over firewall fails
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Mon Aug  3 09:50:02 PDT 1998
>Last-Modified:
>Originator:     Pflug@It-Warehouse.DE
>Organization:
apache
>Release:        1.3.0
>Environment:
Linux 2.0.34
>Description:
I'm running Apache as proxy on a firewall blocking connections between unknown ports. FTP transfer to eg. ftp.microsoft.com will establish a PASV connection between two unknown ports if firewalling is disabled, but fail otherwise. I commented out the PASV section in proxy_ftp.c (line 770 "try to setup PASV first" to line 846 "try the regular way") with some success (ftp.netscape.com would work, the data connection was proxy:unknown to ftp.nescape.com:21 as expected). With ftp.microsoft.com, a connection between proxy:21 and ftp.microsoft.com:21 was established, but the browser will simply time out. No error_log entry.
>How-To-Repeat:
access (any) ftp-server when only connections from/to well-known ports (20, 21) are allowed.
>Fix:
Configuration option: use well-known ports only; try regular mode first, then PASV
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]

Re: mod_proxy/2770: FTP proxy over firewall fails (fwd)

Posted by Chuck Murcko <ch...@topsail.org>.

Yep. The firewall has to support either active or passsive FTP, and the
associated ports. Trouble is, lots of people seem to think closing off
all the high-numbered ports is a security win.

PASV is tried first, because it's safer to establish two outbound
connects than to allow an inbound one, perhaps into your internal net.

The proxy should try to establish an active connect if the data connect
for PASV fails.

Marc Slemko wrote:
> 
> Erm... I would suggest that they just shouldn't do that and that their
> firewall config is broken.  Even when things are changed to do what they
> suggest, they say it doesn't work right so I'm not sure the sense of
> changing them.
> 
> Either the proxy has to be able to open a connection to the server for the
> data transfer or the server has to be able to open a connection to the
> proxy.  Period.
> 
-- 
chuck
Chuck Murcko            The Topsail Group             West Chester PA
USA
chuck@topsail.org