Bugtraq mailing list archives

Re: ftpd: the advisory version

From: djb () CR YP TO (D. J. Bernstein)
Date: Thu, 6 Jul 2000 18:20:14 -0000


monti writes:

*allowing* other than src-20 active data connections through a firewall,


Why are you allowing PORT-style FTP through your firewall? See RFC 1579.
Can I scan port 6000 on your hosts if I set my source port to 20?

Netscape uses PASV. The OpenBSD ftp client uses PASV. The Linux ftp
client uses PASV if you give it the -p option. Internet Explorer uses
PASV. What makes you think that requiring PASV will noticeably increase
the level of user annoyance at your firewall?

---Dan

Current thread:

Re: ftpd: the advisory version Valdis Kletnieks (Jun 30)
- Re: ftpd: the advisory version Tom Perrine (Jul 02)
- Conclusion to recent working WuFTPD Exploits Eric Hines (Jul 05)
- <Possible follow-ups>
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
  - Re: ftpd: the advisory version Mike Gleason (Jul 02)
  - [RHSA-2000:016-03] Multiple local imwheel vulnerabilities bugzilla () REDHAT COM (Jul 03)
  - Re: ftpd: the advisory version monti (Jul 05)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
    - Re: ftpd: the advisory version monti (Jul 07)
    - Re: ftpd: the advisory version Mikael Olsson (Jul 07)
    - Re: ftpd: the advisory version David Maxwell (Jul 07)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 10)
    - Re: ftpd: the advisory version Richard Rager (Jul 11)
    - Infosec.20000712.worldclient.2.1 Rikard Carlsson (Jul 12)
    - ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed J C (Jul 10)
    - Novell Border Manger - Anyone can pose as an authenticated user Coward, Anonymous (Jul 07)
  - [RHSA-2000:042-01] BitchX denial of service vulnerability bugzilla () REDHAT COM (Jul 06)
- Re: ftpd: the advisory version Taneli Huuskonen (Jul 01)

(Thread continues...)