httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject mod_proxy/2770: FTP proxy over firewall fails (fwd)
Date Mon, 03 Aug 1998 17:38:22 GMT
Erm... I would suggest that they just shouldn't do that and that their
firewall config is broken.  Even when things are changed to do what they
suggest, they say it doesn't work right so I'm not sure the sense of
changing them.

Either the proxy has to be able to open a connection to the server for the
data transfer or the server has to be able to open a connection to the
proxy.  Period.

---------- Forwarded message ----------
Date: 3 Aug 1998 16:48:02 -0000
From: Andreas Pflug <Pflug@It-Warehouse.DE>
To: apbugs@hyperreal.org
Subject: mod_proxy/2770: FTP proxy over firewall fails


>Number:         2770
>Category:       mod_proxy
>Synopsis:       FTP proxy over firewall fails
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Mon Aug  3 09:50:02 PDT 1998
>Last-Modified:
>Originator:     Pflug@It-Warehouse.DE
>Organization:
apache
>Release:        1.3.0
>Environment:
Linux 2.0.34
>Description:
I'm running Apache as proxy on a firewall blocking connections between unknown ports. FTP
transfer to eg. ftp.microsoft.com will establish a PASV connection between two unknown ports
if firewalling is disabled, but fail otherwise. I commented out the PASV section in proxy_ftp.c
(line 770 "try to setup PASV first" to line 846 "try the regular way") with some success (ftp.netscape.com
would work, the data connection was proxy:unknown to ftp.nescape.com:21 as expected). With
ftp.microsoft.com, a connection between proxy:21 and ftp.microsoft.com:21 was established,
but the browser will simply time out. No error_log entry.
>How-To-Repeat:
access (any) ftp-server when only connections from/to well-known ports (20, 21) are allowed.
>Fix:
Configuration option: use well-known ports only; try regular mode first, then PASV
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]





Mime
View raw message