[squid-users] RV: squid

Amos Jeffries squid3 at treenet.co.nz
Fri Jun 16 11:49:53 UTC 2017 

On 16/06/17 22:40, Matus UHLAR - fantomas wrote:
>>>> ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.5/squid-3.5.0.1-RELEASENOTES.html 
>>>>
>>>> " Active and passive FTP support on the user-facing side; require 
>>>> passive
>>>> connections to come from the control connection source IP address."
>
>> On 06/15/2017 09:55 AM, Matus UHLAR - fantomas wrote:
>>> that means, if you open FTP control connection to squid, the passive 
>>> data
>>> connection to it must come from the same IP as control connection.
>
> On 15.06.17 10:06, Alex Rousskov wrote:
>> IIRC, the above interpretation is the right one:
>
> just for sure: my one?
>
>> * We support both active and passive FTP between an FTP client (a.k.a.
>> user) and Squid.
>>
>> * When an FTP client is using passive mode, the data connection must
>> come from the same IP as the control connection. This restriction blocks
>> attacks that steal data connection of legitimate FTP users.
>>
>> AFAIK, there are currently no plans (or even strong demand) to support
>> active FTP mode between Squid and FTP origin servers.
>
> what is ftp_passive for then?

For controlling how Squid gateways  "GET ftp://example.com/ HTTP/1.1" 
requests to an FTP server. Whether it attempts PASV / EPSV mode commands 
at all, or skips straight to the fallback "active" PORT/EPRT commands.


> btw I suggest calling it "port" FTP mode instead of active

active vs passive are well-known terms for how DATA connections in FTP 
work (<http://slacksite.com/other/ftp.html> to pick the top result in 
from Google claiming to be *the* definition of the terms). AFAIK, the 
words come from RFC 959 itself:

  "server-DTP

          The data transfer process, in its normal "active" state,
          establishes the data connection with the "listening" data port.
          It sets up parameters for transfer and storage, and transfers
          data on command from its PI.  The DTP can be placed in a
          "passive" state to listen for, rather than initiate a
          connection on the data port.
"

They refer to whether the server is actively initiating TCP connections 
to the client, or passively waiting for the client to connect to a 
random listener port the server sets up.


Amos

More information about the squid-users mailing list