There is a docker, there is a container with proftpd. The ftp daemon is configured to work in passive mode, the launch of the container is configured with docker-compose in which port forwarding is configured from the host machine. When working in the passive mode (if ftp is behind NAT), you need to specify the external IP of the host machine in the config file in the MasqueradeAddress variable.

The problem is that it is not known in advance where this container will be launched, and how many external IP addresses will be on the host machine. How to be?

  • just a word: using the http protocol, you can give the contents of files, as far as I know, are no less effective than using the ftp protocol. and the problems inherent in ftp "by design" are missing. - aleksandr barakin
  • one
    @ TheSpbra1n, well, if you just do not ask hard MasqueradeAddress? He, in theory, then simply will return to the client the IP, to which this client turned? - Sergey Rufanov
  • one
    @alexanderbarakin, there are requirements. They are already there, the author has already agreed to them, and they will have to be executed. It is already too late to demand at this stage the customer to “refuse FTP” - it had to be done at the stage of the assessment of requirements. - Sergey Rufanov
  • one
    @ TheSpbra1n, well, this is if in the bridge. And if for a network of the container to put Host Mode? Or can multiple proftpd containers be on the same host machine at once? - Sergey Rufanov
  • one
    @alexander barakin, sometimes the author is just an employee who does not participate in the assessment stages - TheSpbra1n

1 answer 1

If the host has no more than one container with proftpd - you can simply change the network type of your container from "bridge" to "host", and remove the MasqueradeAddress in the proftpd config.

So the container will use the network of the host machine, and proftpd to the passive clients will give the ip to which they are trying to connect.