> I'm not proposing a kernel ftp proxy -- I agree that there are
> conditions [...] that are almost impossible to handle correctly.
Actually, I think I'm going to change my mind here (am I allowed to do
that? ;-)
An imperfect kernel FTP proxy (as provided by iptables or ipfilter) is
surely still better than nothing when firewalling an FTP server. If
the userland FTP proxy can't easily be made fully transparent, then a
kernel FTP filter is still useful.
Implemented correctly, it's a second line of defense: it won't allow
any packets that I wouldn't otherwise have allowed anyway, but might
block some that I am currently forced to allow.
Put another way: the fact that you can't spot all invalid packets that
might be sent to my FTP server isn't an argument for not blocking
those that you can spot...
-roy
