On Mon, Feb 07, 2005 at 10:08:24AM -0500, Peter Fraser wrote: > After reading the ftp rfc's (959 and 1123) I don't understand > how ftp-proxy can work without support of pf, and any > ftp client that works in active mode with the current ftp-proxy > is in violation of these rfc's. > > In particular section 3.2 of rfc949 and 4.1.2.12 of rfc1123 > together say that the data from an active ftp connection > must come from port ftp-data and the IP address of the > control channel( i.e. the IP address the ftp open command)
The requirement that the data connection must come from port ftp-data is commonly relaxed. In order for the ftp server to use port 20 (which is privileged, < 1024), the server would have to run as root permanently. Most server operators prefer their daemon to drop privileges and violate the RFC (if it is indeed a violation, I haven't checked), and most clients have to relax to interoperate. The second requirement, that the data connection source must match the control connection peer, is also often violated. For instance, the OpenBSD ftp(8) client does not enforce it. The reverse also happens regularly, a ftp server getting data connection from a client having a different source address than the one used by the control connection (see -P in ftpd(8)). It's not just NAT that causes these cases. If you're doing a server-to-server transfer (aka FXP), you connect a client to two different servers concurrently. You tell the first one that you want to upload a file and that it should tell you what address:port to connect to for that data. Once you have that information, you tell the second server you want to download a file, and that it should connect to the address:port obtained from the first server. The servers will then transfer the file among themselves, without going through your client at all. This is particularly useful if the servers have higher bandwith between themselves than your client has to either of them. In short, most sufficiently-advanced ftp clients (and servers) have options to enable or disable these restrictions. It might be true that a strictly RFC compliant ftp client will not work with ftp-proxy. But that client will then also not work with a significant number of real ftp servers out there, either. Daniel
