I don't understand how it's wildly misconfigured. Although I agree that it
would be best if the FTPS host was advertising the public IP address in the
PASV response, that host has no reliable way of knowing what the public IP
address is. Their FTPS server is reporting its actual (private) IP address,
but the host is being accessed through the Internet via a NAT firewall. I
agree it is a shortcoming of the server, but do you know of a server that
has an option to report its IP address as something other than the host IP?
(Not that the vendors whose sites I am accessing could or would change
their server software)
Thanks for the feedback!
<dan_at_coneharvesters.co To: libcurl development <curl-library_at_cool.haxx.se>
Sent by: Subject: Re: FTP_IGNORE_PASSIV_IP
09/23/2004 03:14 PM
Please respond to
On Thu, Sep 23, 2004 at 08:50:04AM -0400, ED_Hingsbergen_at_cisgi.com wrote:
> One thing I perhaps did not make obvious enough - it is not my firewall
> that is the problem, but the firewall at the host site of a vendor to
> we wish to connect. Actually, I've seen the same situation with three
> separate FTPS hosts, with the identical scenario, and this fix resolves
> I don't know much about their firewall configuration, but know that they
> restrict traffic by source IP address, I am assuming they allow any
> from our IP on the specified ports.
> This is a commercial setting - the server in at least one of these cases
> a Sterling Commerce product (part of their "CONNECT" series), but the
> problem clearly is not server-specific.
> While configuring our connection to the first of these, I proposed that
> use curl as a client (rather than the cumbersome commercial, closed
> client they recommended). The IT staff at that site warned me that most
> FTPS clients would have trouble, specifically because they could not
> the IP address passed in the passive response.
"The IT staff at that site warned me that most FTPS clients would have
trouble, specifically because they could not conform to their broken
configuration." Their network setup is obviously the problem here. Their
ftp server is lying about the address in the PASV response and they want
the clients to break the ftp protocol to work. Their ftp server should
be using SOCKS or some other protocol to their router so that they can
send correct information in the PASV response and conform to the ftp spec.
Mutating libcurl to handle this case like you've done is a reasonable
solution if they're not going to fix their ftp server. But, IMHO, this
kind of hack shouldn't be in the released libcurl source.
> I can't imagine that this would not be a common problem with someone
> to connect to a commercial FTPS server across the Internet.
It's only a problem in a wildly misconfigured setup, like the one
http://www.MoveAnnouncer.com The web change of address service
Let webmasters know that your web site has moved
Received on 2004-09-24