Patch: Additional logging in NTP+- SECURITY OF THE PROXY
+- The proxy runs with dropped priviledges, and chrooted.
+- It can also be set to run on just one interface. All the string
+- handling is done through the functions in str.c on sstr structures
+- rather than raw buffers. Potential buffer overflows should be
+- limited to that file.
+- Each client is served in a separate process which dies after a
+- period of inactivity (using SIGALRM). Config file options exist
+- for the maximimum number of clients and the maximum number of
+- connections from a single IP.
+- Sanitising data that passes through the proxy
+- Not much is done here. We only allow printable ascii characters
+- through the control stream which should make sending buffer
+- overflow code through the proxy pretty difficult. FTP commands are
+- all forced to be in the format "XXXX [argument]", and replies in
+- the form "nnn[-] Message". Bear in mind that FTP is a
+- fundamentally insecure protocol, and that there is not much
+- difference that a proxy can make to many aspects of that. I'd
+- suggest turning on "BounceDefend", "SameAddress", and "APConv" in
+- the config file.
+- Can someone use the proxy to make a hole in the firewall?
+- Not from the outside (I hope:). It would be fairly easy to write a
+- program to tunnel IP through the proxy if you had access to
+- machines on both sides, but then again this is true of most
+- Transparent data connection proxying / libiptc [Kernel 2.4 only]
+- If you are using transparent data connections then there is some
+- code in linux.c which is forked off and runs as root in order to
+- add and remove iptables entries. The amount of code here is very
+- small, but in the case of an exploit in the main part of the code
+- an attacker might be able to use this to add and delete fairly
+- arbitrary iptables rules. If your ftp clients don't mind receiving
+- data connections which are not from the ftp-server (all clients I
+- have tested are OK with this, and it is the rfc compliant
+- behaviour) then I suggest you leave this setting off.