ftp-proxy broken by recent Firefox
cristi at net.utcluj.ro
Wed Jun 20 22:18:29 UTC 2007
I have a very restrictive NAT gateway. In order to provide outside FTP
access, I use FreeBSD 5.4 + PF + ftp-proxy. All clients are
transparently redirected to ftp-proxy, and both active and passive mode
used to work just fine. Packets are allowed if they are to/from user
proxy, so, even though FTP uses random ports, I have full control over
the traffic. Anyway, Firefox users were very happy.
This used to be a happy configuration, until "somebody" thought that
breaking the FTP RFC is a small sacrifice against paranoic security.
The following happens: Firefox is only able to do passive FTP. When
ftp-proxy receives the PASV command, it will return a data channel IP
which is different from the control channel IP. This is perfectly fine,
and RFCs regarded this as a feature. However, newer Firefox-es treat
this as an attack, and ignore the data channel IP and attempt to connect
to the same IP as the control channel. This of course fails.
Does anybody have a transparent solution to this problem? I tried using
"ftp-proxy -n" but due to the random nature of FTP data channel ports,
it is impossible to keep the gateway restricted while offering flawless
More information about the freebsd-net