> I'm not proposing a kernel ftp proxy -- I agree that there are > conditions [...] that are almost impossible to handle correctly.
Actually, I think I'm going to change my mind here (am I allowed to do that? ;-) An imperfect kernel FTP proxy (as provided by iptables or ipfilter) is surely still better than nothing when firewalling an FTP server. If the userland FTP proxy can't easily be made fully transparent, then a kernel FTP filter is still useful. Implemented correctly, it's a second line of defense: it won't allow any packets that I wouldn't otherwise have allowed anyway, but might block some that I am currently forced to allow. Put another way: the fact that you can't spot all invalid packets that might be sent to my FTP server isn't an argument for not blocking those that you can spot... -roy