curl-library
Re: FTP_IGNORE_PASSIV_IP
Date: Thu, 23 Sep 2004 19:14:47 -0400
I don't understand how it's wildly misconfigured. Although I agree that it
would be best if the FTPS host was advertising the public IP address in the
PASV response, that host has no reliable way of knowing what the public IP
address is. Their FTPS server is reporting its actual (private) IP address,
but the host is being accessed through the Internet via a NAT firewall. I
agree it is a shortcoming of the server, but do you know of a server that
has an option to report its IP address as something other than the host IP?
(Not that the vendors whose sites I am accessing could or would change
their server software)
Thanks for the feedback!
Dan Fandrich
<dan_at_coneharvesters.co To: libcurl development <curl-library_at_cool.haxx.se>
m> cc:
Sent by: Subject: Re: FTP_IGNORE_PASSIV_IP
curl-library-bounces_at_c
ool.haxx.se
09/23/2004 03:14 PM
Please respond to
libcurl development
On Thu, Sep 23, 2004 at 08:50:04AM -0400, ED_Hingsbergen_at_cisgi.com wrote:
> One thing I perhaps did not make obvious enough - it is not my firewall
> that is the problem, but the firewall at the host site of a vendor to
whom
> we wish to connect. Actually, I've seen the same situation with three
> separate FTPS hosts, with the identical scenario, and this fix resolves
it.
> I don't know much about their firewall configuration, but know that they
> restrict traffic by source IP address, I am assuming they allow any
traffic
> from our IP on the specified ports.
> This is a commercial setting - the server in at least one of these cases
is
> a Sterling Commerce product (part of their "CONNECT" series), but the
> problem clearly is not server-specific.
> While configuring our connection to the first of these, I proposed that
we
> use curl as a client (rather than the cumbersome commercial, closed
source
> client they recommended). The IT staff at that site warned me that most
> FTPS clients would have trouble, specifically because they could not
ignore
> the IP address passed in the passive response.
"The IT staff at that site warned me that most FTPS clients would have
trouble, specifically because they could not conform to their broken
network
configuration." Their network setup is obviously the problem here. Their
ftp server is lying about the address in the PASV response and they want
the clients to break the ftp protocol to work. Their ftp server should
be using SOCKS or some other protocol to their router so that they can
send correct information in the PASV response and conform to the ftp spec.
Mutating libcurl to handle this case like you've done is a reasonable
solution if they're not going to fix their ftp server. But, IMHO, this
kind of hack shouldn't be in the released libcurl source.
> I can't imagine that this would not be a common problem with someone
trying
> to connect to a commercial FTPS server across the Internet.
It's only a problem in a wildly misconfigured setup, like the one
you describe.
>>> Dan
-- http://www.MoveAnnouncer.com The web change of address service Let webmasters know that your web site has movedReceived on 2004-09-24