Firewall Wizards mailing list archives

Re: New ftp behavior

From: David Aylesworth <dave () tlogic com>
Date: Mon, 27 Oct 97 14:11:47 -0500

This is actually not in violation of the specs (RFC's 959 and 1123), otherwise  
PORT and PASV commands would not include an IP address with the port number.   
As several people mentioned, this behavior is all too common on the Internet  
(mostly from hosts with interface aliases).  Our firewall (and I'm sure many of  
our competitors') supports enabling or disabling the enforcement of this  
restriction on a per-policy basis.  We recommend that as customers find popular  
servers that exhibit this (mis)behavior, they add the servers address to a  
different firewall policy that does not enforce this address matching  
restriction.

-Dave

In article <199710231622.LAA24519 () nfr net>, Delmer wrote:

I checked the logs and discovered that, although the original ftp
connection was made to xxx.xxx.xxx.yyy, the response was coming from
xxx.xxx.xxx.zzz.  The firewall very properly considered this an attempt to
hijack an open port and closed the ftp transaction.


David Aylesworth
Technologic, Inc
david.aylesworth () tlogic com
770/522-0222 x228

Current thread:

New ftp behavior dharris (Oct 23)
- Re: New ftp behavior Jyri Kaljundi (Oct 24)
- <Possible follow-ups>
- Re: New ftp behavior arager (Oct 23)
  - Re: New ftp behavior Wyllys Ingersoll (Oct 24)
- Re: New ftp behavior Vern Paxson (Oct 23)
- New ftp behavior Petri Virkkula (Oct 27)
- Re: New ftp behavior David Aylesworth (Oct 27)
- RE: New ftp behavior Safier, Adam (GEIS) (Oct 27)
  - Re: New ftp behavior Bernd Eckenfels (Oct 30)