Fix ftp servers that violate RFC 959 (we aren't Checkpoint, we've got better technology) - this should be a flag under "advanced" though I think

1 files changed, 6 insertions, 1 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 39ff5e9..97dbc5c 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -982,7 +982,12 @@ anchor "carp"
 
 # enable ftp-proxy
 anchor "ftpproxy"
-pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state
+pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state "FTP PROXY: PASV mode data connection"
+# Fix sites that violate RFC 959 which specifies that the data connection
+# be sourced from the command port - 1 (typicaly port 20)
+# This workaround doesn't expose us to any extra risk as we'll still only allow
+# connections to the firewall on a port that ftp-proxy is listening on
+pass in quick on $wanif inet proto tcp from any to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: RFC959 violation workaround"
 
 # allow access to DHCP server on LAN
 anchor "dhcpserverlan"