[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: More spf questions (bug report?)


On Thu, Apr 13, 2000 at 12:35:40PM +0200, Michael Meskes wrote:
> On Wed, Apr 12, 2000 at 09:36:01PM +0200, Giacomo Mulas wrote:
> > 5) the transfer lasts long enough for spf to timeout and
> > close the channel for reply packets on the ftp control port
> That means not only did the transfer last long, but also you
> have at least 30 seconds without any packets going out from
> your site. AFAIK teh client sends some acks when receiving
> packets, doesn't it?

I think what he means is this:
In the control channel, he sends the RETR command to download
the file.  The data channel is opened up and the file starts
downloading.  The downloading works fine, receiving data and
sending ACKs.  While the data is getting transferred on the data
channel, the command channel is idle.  Because the command
channel is idle, the reverse rule expires for the command

> > correctly), but it would also let through some portscans. Any simple
> > solutions?
> And yes, that's the problem.

The simplest solution I can think of is to install an FTP proxy
server :)  Otherwise, is it possible to configure spf to get rid
of the reverse rule only when the connection is actually closed?
You would probably need a timeout, though, but that could be set
to a few hours or something, rather than 30 seconds.  Maybe this
is the way it works already?

Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies

Reply to: