cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: FTP_IGNORE_PASSIV_IP

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Thu, 23 Sep 2004 12:14:21 -0700

On Thu, Sep 23, 2004 at 08:50:04AM -0400, ED_Hingsbergen_at_cisgi.com wrote:
> One thing I perhaps did not make obvious enough - it is not my firewall
> that is the problem, but the firewall at the host site of a vendor to whom
> we wish to connect. Actually, I've seen the same situation with three
> separate FTPS hosts, with the identical scenario, and this fix resolves it.
> I don't know much about their firewall configuration, but know that they
> restrict traffic by source IP address, I am assuming they allow any traffic
> from our IP on the specified ports.
> This is a commercial setting - the server in at least one of these cases is
> a Sterling Commerce product (part of their "CONNECT" series), but the
> problem clearly is not server-specific.
> While configuring our connection to the first of these, I proposed that we
> use curl as a client (rather than the cumbersome commercial, closed source
> client they recommended). The IT staff at that site warned me that most
> FTPS clients would have trouble, specifically because they could not ignore
> the IP address passed in the passive response.

"The IT staff at that site warned me that most FTPS clients would have
trouble, specifically because they could not conform to their broken network
configuration." Their network setup is obviously the problem here. Their
ftp server is lying about the address in the PASV response and they want
the clients to break the ftp protocol to work. Their ftp server should
be using SOCKS or some other protocol to their router so that they can
send correct information in the PASV response and conform to the ftp spec.

Mutating libcurl to handle this case like you've done is a reasonable
solution if they're not going to fix their ftp server. But, IMHO, this
kind of hack shouldn't be in the released libcurl source.

> I can't imagine that this would not be a common problem with someone trying
> to connect to a commercial FTPS server across the Internet.

It's only a problem in a wildly misconfigured setup, like the one
you describe.

>>> Dan

-- 
http://www.MoveAnnouncer.com              The web change of address service
          Let webmasters know that your web site has moved
Received on 2004-09-23