Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re^3: Net::FTPServer problem with active/passive connections

by mr_mischief (Prior)
on Sep 20, 2008 at 00:45 UTC ( #712667=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Net::FTPServer problem with active/passive connections
in thread Net::FTPServer problem with active/passive connections

Section 3 of RFC 2577 describes how to mitigate or eliminate bounce attacks for proxy FTP. It recommends specifically against opening a port below 1024 on the remote host at the request of the PORT command. It also allows for disabling the PORT command altogether to prevent that particular form of network abuse. Disabling PORT for a mismatched address is a convenient security workaround.

The code you quote is, in the latest Net::FTPServer on CPAN anyway, wrapped in a configuration if-block:

unless ($self->config ("allow proxy ftp")) { if (!$self->{_test_mode} && $hostaddrstring ne $self->{peeraddrstr +ing}) { # See RFC 2577 section 3. $self->reply (504, "Proxy FTP is not allowed on this server.") +; return; } }
I suggest that if you absolutely need to use the PORT command for FTP which validly appears to the server to be proxy FTP, that you enable 'allow proxy ftp' in the configuration. This is explained in this part of the documentation for the module:
allow proxy ftp

Allow proxy FTP. If this is set, then the FTP server can be told to actively connect to addresses and ports on any machine in the world. This is not such a great idea, but required if you follow the RFC very closely. If not set (the default), the FTP server will only connect back to the client machine.

My preferred suggestion is to fix your NAT so that it handles FTP properly. As a last resort, open your server to attacking every machine on the Internet if you really must. That's what enabling proxy FTP does.


Comment on Re^3: Net::FTPServer problem with active/passive connections
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://712667]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (6)
As of 2014-07-23 03:04 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (131 votes), past polls