Bugtraq mailing list archives
Re: Update: Extending the FTP "ALG" vulnerability to any FTP clie nt
From: Lars.Troen () MERKANTILDATA NO (Lars.Troen () MERKANTILDATA NO)
Date: Fri, 17 Mar 2000 17:44:17 +0100
With Firewall-1 all ports defined in the /etc/services file will be denied connections to during an ftp session. This is defined in the file base.def as follows: // ports which are dangerous to connect to #define NOTSERVER_TCP_PORT(p) { (not ( ( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0, set sr12 p, set sr1 0, log bad_conn) ..... Firewall-1 does not differ between file transfers initiated from your internal network or if you're having a public ftp server serving the internet. This often causes problems with large file transfers, or when transfering lots of files. Firewall administrators might of this reason disable this function as described here: http://www.phoneboy.com/fw1/faq/0106.html Also Raptor Firewall has a similar setting in config.cf: # This restricts ports rather less that allow_low_ports. Raptor strongly # recommends that you do NOT enable this option. ftpd.allow_named_ports=NO I'm not sure about other firewalls, but they're likely to have similar funcionality. The basic line is: If you're having a public ftp server, you should put all of it's listening ports >1023 in the /etc/services file of the firewall. This might be difficult to check with many client pc's, and the ftp security server might be a solution to protect them. Users will complain that some ftp commands (quote) will not work anymore, but it's always security vs functionality vs obscurity. Lars -----Original Message----- From: Darren Reed [mailto:avalon () COOMBS ANU EDU AU] Sent: 15. mars 2000 12:43 To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Update: Extending the FTP "ALG" vulnerability to any FTP client [SNIP] So the upshot of this is with FW-1, you're screwed until you get the relevant fixes in place for ftp. With any proxy based solution, you should only allow passive FTP. Darren
Current thread:
- Re: Update: Extending the FTP "ALG" vulnerability to any FTP clie nt Lars.Troen () MERKANTILDATA NO (Mar 17)
- Re: Update: Extending the FTP "ALG" vulnerability to any FTP clie David Grimes (Mar 20)
- Re: Update: Extending the FTP "ALG" vulnerability to any FTP client Paul Cardon (Mar 21)
- Re: Update: Extending the FTP "ALG" vulnerability to any FTP client Hugo.van.der.Kooij () CAIW NL (Mar 22)