Hello,
I propose to limit squid.conf "ftp_epsv off" prohibition to IPv4 FTP
servers.
Setting ftp_epsv to "off" is often necessary to correctly handle
real-world cases where an IPv4 FTP server correctly responds to an EPSV
command but is located behind a firewall that does not understand EPSV
responses and, hence, does not allow the subsequent data connection
through. This combination forces Squid admins to turn ftp_epsv off.
However, turning ftp_epsv off to handle a few broken IPv4 FTP servers
immediately breaks *all* IPv6 FTP servers because EPSV is required for
any IPv6 FTP server to exchange data. The old PASV command is not
flexible enough to serve IPv6 needs. See RFC 2428 for details.
Since using EPSV with IPv6 servers cannot make matters worse and will
make them better in many cases, I suggest ignoring "ftp_epsv off" when
Squid has to talk to an IPv6 FTP server.
Do you think it would be OK to allow the use of EPSV commands with IPv6
servers even if ftp_epsv is off?
Thank you,
Alex.
P.S. This problem was discovered in early Native FTP proxy feature
deployments, but it will be relevant to the FTP gateway code as well.
P.P.S. The same logic would apply to EPRT, I guess.
Received on Fri Jan 24 2014 - 20:27:30 MST
This archive was generated by hypermail 2.2.0 : Sun Jan 26 2014 - 12:00:13 MST