Subject: Re: ipnat ftp proxy fix yet? (ever?)
To: Manuel Bouyer <>
From: Sean Davis <>
List: tech-net
Date: 10/28/2004 07:52:24
On Thu, 28 Oct 2004 13:14:43 +0200, Manuel Bouyer
<> wrote:
> On Wed, Oct 27, 2004 at 08:19:29PM -0400, Sean Davis wrote:
> > On Wed, 27 Oct 2004 23:28:08 +0200, Martin Husemann <> wrote:
> > > On Wed, Oct 27, 2004 at 04:27:04PM -0400, Sean Davis wrote:
> > > > why hasn't <whatever change was made
> > > > to the ftp code> been reverted?
> > >
> > > That's impractical. Fixing the bug will be easier.
> >
> > well, I didn't mean revert everything, what I meant was more along the
> > lines of "if darren knew how to make it work then, why is it broken
> > now, and why can't he compare then and now to see what its doing
> > differently?"
> Because a lot of things have changed between ipf3 and 4, and the diff is not
> exploitable ?

I think you are deliberately missing my point. FTP proxy in ipf3
worked. FTP proxy in ipf4 does not, at least not on sparc/sparc64.
Surely fixing the problems in ipf3 didn't require breaking the
functionality? After all, it still works on i386.

> > It was never unreliable for me until I tried it on a sparc64. I always
> > use passive, but suppose some application I don't have control over
> > (on windows, for example) wants active? the windows user (aka my
> > mother) will expect it to "just work," and it won't.
> I'm not sure passive ftp would work though NAT without the proxy.
> At last the source address, and possibly the source port, need to be
> translasted in the PORT command.

passive FTP works sometimes through NAT for me without the proxy entry
in ipnat.conf, but back when I was using ipf4 on x86 it worked all the
time with the proxy entry. So did active.