Hi On Thu, Apr 13, 2000 at 12:35:40PM +0200, Michael Meskes wrote: > On Wed, Apr 12, 2000 at 09:36:01PM +0200, Giacomo Mulas wrote: > > 5) the transfer lasts long enough for spf to timeout and > > close the channel for reply packets on the ftp control port > > That means not only did the transfer last long, but also you > have at least 30 seconds without any packets going out from > your site. AFAIK teh client sends some acks when receiving > packets, doesn't it?
I think what he means is this: In the control channel, he sends the RETR command to download the file. The data channel is opened up and the file starts downloading. The downloading works fine, receiving data and sending ACKs. While the data is getting transferred on the data channel, the command channel is idle. Because the command channel is idle, the reverse rule expires for the command channel. > > correctly), but it would also let through some portscans. Any simple > > solutions? > > And yes, that's the problem. The simplest solution I can think of is to install an FTP proxy server :) Otherwise, is it possible to configure spf to get rid of the reverse rule only when the connection is actually closed? You would probably need a timeout, though, but that could be set to a few hours or something, rather than 30 seconds. Maybe this is the way it works already? -- Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/ [EMAIL PROTECTED] | Fax: +27 21 761 9930 | Kingsley Technologies
