On 2025-07-25 08:43, Matus UHLAR - fantomas wrote:
I see that squid has FTP support for some time:
# TAG: ftp_port ...
But I can't see any options related to PASV and PORT session setup.
From what I saw in sources (with my limited knowledge of C++) it seems
that squid tries to pass
Squid FTP server (i.e. the functionality behind ftp_port) tries to
support both passive and active data transfers. FTP client decides what
mode to use by sending either FTP PORT or FTP PASV command.
Can I cofnigure/limit these ports somehow?
e.g. disabling PORT/EPRT and limiting PASV to ports e.g. 32736-32767
I hope that the answer to your question is "yes", but I have not checked
any details or tested the current implementation; IIRC,
* You can deny PORT/EPRT commands using http_access rules. See
squid.conf.documented paragraph that is quoted at the end of this email.
In cache.log, you can see HTTP-like messages (that your http_access
rules will need to match) using debug_options set to "ALL,2" or "ALL,1
9,2". Look for "FTP Client REQUEST" phrases.
* You can control PASV port range using your OS settings for ephemeral
port ranges (e.g., net.ipv4.ip_local_port_range and friends on Linux).
HTH,
Alex.
Native FTP commands accepted at ftp_port are internally converted or
wrapped into HTTP-like messages. The same happens to Native FTP
responses received from FTP origin servers. Those HTTP-like messages
are shoveled through regular access control and adaptation layers
between the FTP client and the FTP origin server. This allows Squid to
examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
mechanisms when shoveling wrapped FTP messages. For example,
http_access and adaptation_access directives are used.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
