diff options
Diffstat (limited to 'etc/inc/filter.inc')
-rw-r--r-- | etc/inc/filter.inc | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 39ff5e9..97dbc5c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -982,7 +982,12 @@ anchor "carp" # enable ftp-proxy anchor "ftpproxy" -pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state +pass in quick on $wanif inet proto tcp from port 20 to ($wanif) port > 49000 user proxy flags S/SA keep state "FTP PROXY: PASV mode data connection" +# Fix sites that violate RFC 959 which specifies that the data connection +# be sourced from the command port - 1 (typicaly port 20) +# This workaround doesn't expose us to any extra risk as we'll still only allow +# connections to the firewall on a port that ftp-proxy is listening on +pass in quick on $wanif inet proto tcp from any to ($wanif) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: RFC959 violation workaround" # allow access to DHCP server on LAN anchor "dhcpserverlan" |