Re: [RFC] ignore ftp_epsv off for IPv6

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 26 Jan 2014 14:05:15 +1300

On 25/01/2014 9:27 a.m., Alex Rousskov wrote:
> Hello,
>
> I propose to limit squid.conf "ftp_epsv off" prohibition to IPv4 FTP
> servers.
>
> Setting ftp_epsv to "off" is often necessary to correctly handle
> real-world cases where an IPv4 FTP server correctly responds to an EPSV
> command but is located behind a firewall that does not understand EPSV
> responses and, hence, does not allow the subsequent data connection
> through. This combination forces Squid admins to turn ftp_epsv off.
>
> However, turning ftp_epsv off to handle a few broken IPv4 FTP servers
> immediately breaks *all* IPv6 FTP servers because EPSV is required for
> any IPv6 FTP server to exchange data. The old PASV command is not
> flexible enough to serve IPv6 needs. See RFC 2428 for details.
>
> Since using EPSV with IPv6 servers cannot make matters worse and will
> make them better in many cases, I suggest ignoring "ftp_epsv off" when
> Squid has to talk to an IPv6 FTP server.
>
>
> Do you think it would be OK to allow the use of EPSV commands with IPv6
> servers even if ftp_epsv is off?

"off" should never be abused to mean half-off. We are having enough
trouble with "forwarded_for off" historically meaning something other
than disable XFF feature.

I think extending the directive to allow selective disabling with
no-ipv6 or no-ipv4 values would be better.

Amos
Received on Sun Jan 26 2014 - 01:05:21 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 29 2014 - 12:00:14 MST