Problem with ftp-proxy

Mark Felder feld at feld.me
Tue Jun 18 11:32:57 UTC 2013


On Tue, 18 Jun 2013 06:11:43 -0500, Rainer Duffner  
<rainer at ultra-secure.de> wrote:

> Hi,
>
>
> I use ftp-proxy, together with the patch that starts multiple instances:
>

I recommend avoiding ftp-proxy and setting up static rules that you know  
will work. On our systems in pure-ftpd.conf we set

PassivePortRange          3000 3200

and then on the system's firewall and every firewall in front we pass  
through ports 3000-3200. It's a simple solution that's guaranteed to work,  
and you don't have to debug what the proxy is doing.

Also, most ftp-proxy software tends to do a very bad job once you start  
throwing in FTPES. We see this with customer firewalls all the time. These  
firewall services under the guise of "proxys", "fixups", or "Application  
Layer Gateways" are just inconsistent and unreliable no matter which  
vendor supplies it.

Note, you may have to make the range larger if you expect more than 200  
concurrent sessions.


More information about the freebsd-stable mailing list