On Wed, Jan 15, 2003 at 04:03:31PM -0700, Ken Gunderson wrote: > Anyhow, I patched ftp-proxy for reverse and have it up and running. > Question is, how robust is this? (am wondering why it was not merged > into 3.2). Can anyone comment on security/performance comparison > between ftp-proxy reverse and alternative solutions such as jftpgw?
I haven't used jftpgw myself, but it serves about the same purpose, I'd say. It also supports sftp, which ftp-proxy doesn't. $ wc -l /usr/ports/net/jftpgw/w-*/jftpgw*/*.c 9531 total $ wc -l /usr/libexec/ftp-proxy/*.c 1909 total Having carefully read ftp-proxy but not jftpgw, I trust ftp-proxy more. That is not to imply that jftpgw is insecure, I just haven't studied it. jftpgw has its own access controls, ftp-proxy doesn't. I'd rather have my pf.conf do that, myself. jftpgw by default blocks data connections to reserved ports, ftp-proxy doesn't. So if your internal ftp server can be tricked into asking the client to connect to a reserved port for a passive data connection, ftp-proxy will allow that. If there are vulnerable services running on the ftp server, you'd have to block connections to them with pf (on the internal interface). Otherwise the two are similar. With either proxy, you should only allow the proxy to establish connections that are expected and needed, blocking by default using pf. As to why the reverse proxy patch is not in the tree, ask beck@. If he doesn't reply, there's your answer :) Daniel
