Re: [squid-users] Unsafe PASV reply

From: Henrik Nordstrom <[email protected]>
Date: Fri, 29 Nov 2002 02:18:45 +0100

That the IP address returned by the FTP server in response to PASV
does not match the server address contacted, and is rejected by Squid
to avoid some nasty security issues where people have been abusing
HTTP and FTP proxies for completely other purposes like sending SMTP
email, IRC, bypassing firewall rules etc.

See also the ftp_sanity_check directive. Strongly recommended to keep
this at the default "on" value unless you have a good reason to not
have these security/consistency checks of the traffic.

Regards
Henrik

On Thursday 28 November 2002 10.20, -JhAzEr- wrote:
> I got this on my log file:
>
> [squid] Unsafe PASV reply from "IP ADDRESS": Entering Passive Mode
> (192,168,1,1,9,177).
>
> What does it mean?
>
>
> Slackware 9.0 Beta
> ------------------------------
> pub 1024D/04BAE461 2002-10-22 -JhAzEr- <catsedp@cats.com.ph>
> sub 1024g/63BA0ABD 2002-10-22 Mobile Phone: 0920-2625725
>
> Window Manager ---> Ratpoison-1.1.1
> Email Client ---> Pygmy-0.6.0
> Web Browser ---> Phoenix-0.3 (Lucia)
>
> [gcc-3.2] [gnupg-1.2.0] [gpgme-0.3.9]
Received on Thu Nov 28 2002 - 18:57:49 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:38 MST