Re: patch ftp-proxy, proposal

2010-01-12 Thread Tiery DENYS 
On Tue, Jan 12, 2010 at 10:01 AM, Paul de Weerd we...@weirdnet.nl wrote:

 On Tue, Jan 12, 2010 at 09:38:32AM +0100, Tiery DENYS wrote:
 | On Mon, Jan 11, 2010 at 2:08 PM, Bob Beck b...@ualberta.ca wrote:
 | Yes I prefer waiting here instead of sending any response on ident port.
 | (silent fw)

 How can you claim 'silent fw' if it was the source of an ftp
 connection ?

 | I will not explain the benefit of dropping packets silently. This is
 | something we will not change, even if it is only for ident protocol.
 | The problem deals with public ftp servers, like university or other
 | research/company and we can't reconfigure them. If we keep in mind that
 our
 | firewall will always drop packets silently, there are not a lot of
 | solutions.

 Sure, don't change your firewall, but do realize that your argument is
 flawed. There is traffic originatimg from the address, so it must be
 alive. Simply sending a RST for attempted connections to the ident
 port does not tell anyone anything new.

 What does block drop gain you over block reject in this case ?

 (not a question to debate on the list, just something to think about)

 Cheers,

 Paul 'WEiRD' de Weerd

 --
 [++-]+++.+++[---].+++[+
 +++-].++[-]+.--.[-]
 http://www.weirdnet.nl/


Hmm, yes it must be alive, it is true. It appears that ident is filtered by
an other firewall (which I can't configure, and who drop packets silently)
before my network (and my firewall).
I know I am going to a very specific case, that's why I was proposing a
knob.

patch ftp-proxy, proposal

2010-01-07 Thread Tiery DENYS 
Hi,

  I would like to propose a patch for ftp-proxy. This patch implement an
option concerning specific timeout (connect_timeout).
It add an option for setting connect_timeout variable while starting
ftp-proxy (this variable is currently set to 30 in code). Setting this
variable to another value can solve many troubles with some ftp server:

ex:
- There are some public ftp servers missconfigurated who use ident protocol
and wait 30 seconds on ident port before sending banner.
With the default connect_timeout value, it is not possible to connect to
theses servers with fw filtering ident port. With a higher value, it will
succeed
- It can be also usefull to change these value and set it to a lower value
in order to drop these kind of servers quickly.

That's why I think adding a knob can be usefull.


  What do you thing about this idea ? Other people should have had troubles
with the default value.



Kind regards,

Tiery




-


diff -u -p -r -r ftp-proxy.orig/ftp-proxy.8 ftp-proxy/ftp-proxy.8
--- ftp-proxy.orig/ftp-proxy.8Tue Jan  5 11:31:39 2010
+++ ftp-proxy/ftp-proxy.8Tue Jan  5 16:41:34 2010
@@ -26,6 +26,7 @@
 .Op Fl 6Adrv
 .Op Fl a Ar address
 .Op Fl b Ar address
+.Op Fl c Ar connect_timeout
 .Op Fl D Ar level
 .Op Fl m Ar maxsessions
 .Op Fl P Ar port
@@ -95,6 +96,9 @@ connection to a server.
 .It Fl b Ar address
 Address where the proxy will listen for redirected control connections.
 The default is 127.0.0.1, or ::1 in IPv6 mode.
+.It Fl c Ar connect_timeout
+Number of seconds that the connection will wait before
+assuming that the server is down. The default is 30 seconds.
 .It Fl D Ar level
 Debug level, ranging from 0 to 7.
 Higher is more verbose.
Only in ftp-proxy: ftp-proxy.8.orig
diff -u -p -r -r ftp-proxy.orig/ftp-proxy.c ftp-proxy/ftp-proxy.c
--- ftp-proxy.orig/ftp-proxy.cTue Jan  5 11:31:39 2010
+++ ftp-proxy/ftp-proxy.cTue Jan  5 16:49:21 2010
@@ -44,7 +44,6 @@

 #include filter.h

-#define CONNECT_TIMEOUT30
 #define MIN_PORT1024
 #define MAX_LINE500
 #define MAX_LOGLINE300
@@ -115,8 +114,8 @@ char ntop_buf[NTOP_BUFS][INET6_ADDRSTRLEN];
 struct sockaddr_storage fixed_server_ss, fixed_proxy_ss;
 char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip,
*listen_port,
 *qname, *tagname;
-int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions,
-rfc_mode, session_count, timeout, verbose;
+int anonymous_only, connect_timeout, daemonize, id_count, ipv6_mode,
loglevel,
+max_sessions, rfc_mode, session_count, timeout, verbose;
 extern char *__progname;

 void
@@ -506,7 +505,7 @@ handle_connection(const int listen_fd, short event, vo
 logmsg(LOG_CRIT, #%d bufferevent_new server failed, s-id);
 goto fail;
 }
-bufferevent_settimeout(s-server_bufev, CONNECT_TIMEOUT, 0);
+bufferevent_settimeout(s-server_bufev, connect_timeout, 0);
 bufferevent_enable(s-server_bufev, EV_READ | EV_TIMEOUT);

 return;
@@ -592,6 +591,7 @@ main(int argc, char *argv[])

 /* Defaults. */
 anonymous_only= 0;
+connect_timeout= 30;
 daemonize= 1;
 fixed_proxy= NULL;
 fixed_server= NULL;
@@ -611,7 +611,7 @@ main(int argc, char *argv[])
 id_count= 1;
 session_count= 0;

-while ((ch = getopt(argc, argv, 6Aa:b:D:dm:P:p:q:R:rT:t:v)) != -1) {
+while ((ch = getopt(argc, argv, 6Aa:b:c:D:dm:P:p:q:R:rT:t:v)) != -1)
{
 switch (ch) {
 case '6':
 ipv6_mode = 1;
@@ -625,6 +625,11 @@ main(int argc, char *argv[])
 case 'b':
 listen_ip = optarg;
 break;
+case 'c':
+connect_timeout = strtonum(optarg, 0, 86400, errstr);
+if (errstr)
+errx(1, connect timeout %s, errstr);
+break;
 case 'D':
 loglevel = strtonum(optarg, LOG_EMERG, LOG_DEBUG,
 errstr);
@@ -1119,8 +1124,9 @@ void
 usage(void)
 {
 fprintf(stderr, usage: %s [-6Adrv] [-a address] [-b address]
- [-D level] [-m maxsessions]\n [-P port]
- [-p port] [-q queue] [-R address] [-T tag]\n
- [-t timeout]\n, __progname);
+ [-c connect_timeout] \n [-D level]
+ [-m maxsessions] [-P port] [-p port] [-q queue]\n
+ [-R address] [-T tag] [-t timeout]\n
+, __progname);
 exit(1);
 }
Only in ftp-proxy: ftp-proxy.c.orig