Re: patch ftp-proxy, proposal
On Tue, Jan 12, 2010 at 09:38:32AM +0100, Tiery DENYS wrote: | On Mon, Jan 11, 2010 at 2:08 PM, Bob Beck b...@ualberta.ca wrote: | Yes I prefer waiting here instead of sending any response on ident port. | (silent fw) How can you claim 'silent fw' if it was the source of an ftp connection ? | I will not explain the benefit of dropping packets silently. This is | something we will not change, even if it is only for ident protocol. | The problem deals with public ftp servers, like university or other | research/company and we can't reconfigure them. If we keep in mind that our | firewall will always drop packets silently, there are not a lot of | solutions. Sure, don't change your firewall, but do realize that your argument is flawed. There is traffic originatimg from the address, so it must be alive. Simply sending a RST for attempted connections to the ident port does not tell anyone anything new. What does block drop gain you over block reject in this case ? (not a question to debate on the list, just something to think about) Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: patch ftp-proxy, proposal
On Tue, Jan 12, 2010 at 10:01 AM, Paul de Weerd we...@weirdnet.nl wrote: On Tue, Jan 12, 2010 at 09:38:32AM +0100, Tiery DENYS wrote: | On Mon, Jan 11, 2010 at 2:08 PM, Bob Beck b...@ualberta.ca wrote: | Yes I prefer waiting here instead of sending any response on ident port. | (silent fw) How can you claim 'silent fw' if it was the source of an ftp connection ? | I will not explain the benefit of dropping packets silently. This is | something we will not change, even if it is only for ident protocol. | The problem deals with public ftp servers, like university or other | research/company and we can't reconfigure them. If we keep in mind that our | firewall will always drop packets silently, there are not a lot of | solutions. Sure, don't change your firewall, but do realize that your argument is flawed. There is traffic originatimg from the address, so it must be alive. Simply sending a RST for attempted connections to the ident port does not tell anyone anything new. What does block drop gain you over block reject in this case ? (not a question to debate on the list, just something to think about) Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ Hmm, yes it must be alive, it is true. It appears that ident is filtered by an other firewall (which I can't configure, and who drop packets silently) before my network (and my firewall). I know I am going to a very specific case, that's why I was proposing a knob.
Re: patch ftp-proxy, proposal
* Tiery DENYS tiery.de...@gmail.com [2010-01-12 09:47]: A higher value is stupid, because you then end up waiting forever for connections to these anyway.. Are you gonna sit there for 45 seconds before you connect? no, of course not, you're gonna thing it's screwed. Yes I prefer waiting here instead of sending any response on ident port. (silent fw) doctor, doctor, it hirts when i push a knife in my eye! then don't do it. your agenda is stupid, and there is no excuse to support it. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: patch ftp-proxy, proposal
ex: - There are some public ftp servers missconfigurated who use ident protocol and wait 30 seconds on ident port before sending banner. With the default connect_timeout value, it is not possible to connect to theses servers with fw filtering ident port. With a higher value, it will succeed A higher value is stupid, because you then end up waiting forever for connections to these anyway.. Are you gonna sit there for 45 seconds before you connect? no, of course not, you're gonna thing it's screwed. - It can be also usefull to change these value and set it to a lower value in order to drop these kind of servers quickly. Also stupid - because you either set it to like 20 seconds or 10 seconds which is still annoying, or far less and drop legit servers. That's why I think adding a knob can be usefull. Of course, if such a server were configured to try ident - the right answer would be to ensure your firewall drops it. You only have a problem with these if you have your firewall dropping such connections silently - which is stupid in the first place. If they know you aren't listening the ident fails immediately and the connect works.
patch ftp-proxy, proposal
Hi, I would like to propose a patch for ftp-proxy. This patch implement an option concerning specific timeout (connect_timeout). It add an option for setting connect_timeout variable while starting ftp-proxy (this variable is currently set to 30 in code). Setting this variable to another value can solve many troubles with some ftp server: ex: - There are some public ftp servers missconfigurated who use ident protocol and wait 30 seconds on ident port before sending banner. With the default connect_timeout value, it is not possible to connect to theses servers with fw filtering ident port. With a higher value, it will succeed - It can be also usefull to change these value and set it to a lower value in order to drop these kind of servers quickly. That's why I think adding a knob can be usefull. What do you thing about this idea ? Other people should have had troubles with the default value. Kind regards, Tiery - diff -u -p -r -r ftp-proxy.orig/ftp-proxy.8 ftp-proxy/ftp-proxy.8 --- ftp-proxy.orig/ftp-proxy.8Tue Jan 5 11:31:39 2010 +++ ftp-proxy/ftp-proxy.8Tue Jan 5 16:41:34 2010 @@ -26,6 +26,7 @@ .Op Fl 6Adrv .Op Fl a Ar address .Op Fl b Ar address +.Op Fl c Ar connect_timeout .Op Fl D Ar level .Op Fl m Ar maxsessions .Op Fl P Ar port @@ -95,6 +96,9 @@ connection to a server. .It Fl b Ar address Address where the proxy will listen for redirected control connections. The default is 127.0.0.1, or ::1 in IPv6 mode. +.It Fl c Ar connect_timeout +Number of seconds that the connection will wait before +assuming that the server is down. The default is 30 seconds. .It Fl D Ar level Debug level, ranging from 0 to 7. Higher is more verbose. Only in ftp-proxy: ftp-proxy.8.orig diff -u -p -r -r ftp-proxy.orig/ftp-proxy.c ftp-proxy/ftp-proxy.c --- ftp-proxy.orig/ftp-proxy.cTue Jan 5 11:31:39 2010 +++ ftp-proxy/ftp-proxy.cTue Jan 5 16:49:21 2010 @@ -44,7 +44,6 @@ #include filter.h -#define CONNECT_TIMEOUT30 #define MIN_PORT1024 #define MAX_LINE500 #define MAX_LOGLINE300 @@ -115,8 +114,8 @@ char ntop_buf[NTOP_BUFS][INET6_ADDRSTRLEN]; struct sockaddr_storage fixed_server_ss, fixed_proxy_ss; char *fixed_server, *fixed_server_port, *fixed_proxy, *listen_ip, *listen_port, *qname, *tagname; -int anonymous_only, daemonize, id_count, ipv6_mode, loglevel, max_sessions, -rfc_mode, session_count, timeout, verbose; +int anonymous_only, connect_timeout, daemonize, id_count, ipv6_mode, loglevel, +max_sessions, rfc_mode, session_count, timeout, verbose; extern char *__progname; void @@ -506,7 +505,7 @@ handle_connection(const int listen_fd, short event, vo logmsg(LOG_CRIT, #%d bufferevent_new server failed, s-id); goto fail; } -bufferevent_settimeout(s-server_bufev, CONNECT_TIMEOUT, 0); +bufferevent_settimeout(s-server_bufev, connect_timeout, 0); bufferevent_enable(s-server_bufev, EV_READ | EV_TIMEOUT); return; @@ -592,6 +591,7 @@ main(int argc, char *argv[]) /* Defaults. */ anonymous_only= 0; +connect_timeout= 30; daemonize= 1; fixed_proxy= NULL; fixed_server= NULL; @@ -611,7 +611,7 @@ main(int argc, char *argv[]) id_count= 1; session_count= 0; -while ((ch = getopt(argc, argv, 6Aa:b:D:dm:P:p:q:R:rT:t:v)) != -1) { +while ((ch = getopt(argc, argv, 6Aa:b:c:D:dm:P:p:q:R:rT:t:v)) != -1) { switch (ch) { case '6': ipv6_mode = 1; @@ -625,6 +625,11 @@ main(int argc, char *argv[]) case 'b': listen_ip = optarg; break; +case 'c': +connect_timeout = strtonum(optarg, 0, 86400, errstr); +if (errstr) +errx(1, connect timeout %s, errstr); +break; case 'D': loglevel = strtonum(optarg, LOG_EMERG, LOG_DEBUG, errstr); @@ -1119,8 +1124,9 @@ void usage(void) { fprintf(stderr, usage: %s [-6Adrv] [-a address] [-b address] - [-D level] [-m maxsessions]\n [-P port] - [-p port] [-q queue] [-R address] [-T tag]\n - [-t timeout]\n, __progname); + [-c connect_timeout] \n [-D level] + [-m maxsessions] [-P port] [-p port] [-q queue]\n + [-R address] [-T tag] [-t timeout]\n +, __progname); exit(1); } Only in ftp-proxy: ftp-proxy.c.orig