On 25/01/2014 9:27 a.m., Alex Rousskov wrote: > Hello, > > I propose to limit squid.conf "ftp_epsv off" prohibition to IPv4 FTP > servers. > > Setting ftp_epsv to "off" is often necessary to correctly handle > real-world cases where an IPv4 FTP server correctly responds to an EPSV > command but is located behind a firewall that does not understand EPSV > responses and, hence, does not allow the subsequent data connection > through. This combination forces Squid admins to turn ftp_epsv off. > > However, turning ftp_epsv off to handle a few broken IPv4 FTP servers > immediately breaks *all* IPv6 FTP servers because EPSV is required for > any IPv6 FTP server to exchange data. The old PASV command is not > flexible enough to serve IPv6 needs. See RFC 2428 for details. > > Since using EPSV with IPv6 servers cannot make matters worse and will > make them better in many cases, I suggest ignoring "ftp_epsv off" when > Squid has to talk to an IPv6 FTP server. > > > Do you think it would be OK to allow the use of EPSV commands with IPv6 > servers even if ftp_epsv is off?
"off" should never be abused to mean half-off. We are having enough trouble with "forwarded_for off" historically meaning something other than disable XFF feature. I think extending the directive to allow selective disabling with no-ipv6 or no-ipv4 values would be better. Amos
