Firewall Wizards mailing list archives
Re: inbound port 20
From: "Frank Heinzius" <frimp () mms de>
Date: Tue, 29 Jun 1999 10:04:48 +0200
Hi, On 24 Jun 99, at 9:42, Kaptain wrote:
Hi all. We are having a live update issue with Symantec because our firewall blocks inbound port 20 and that is the response port that opens to receive their file via ftp. We are considering opening the port permenantly or semi-permenantly to alleviate the problem. Can anyone point to any security issues that might be associated with this and/or any precautions we should take if we open the port? Thanks in advance for any advice.
All data transferred during an active ftp-Session is transferred over a second connection. The problem is, that this connection is initiated from the server, port 20, to a destination port >1023 on your client machine. It depends on the capabilities of your firewall: If you have "normal" static packet filtering, you have to open connections from the Internet (tm), port 20, to all your ftp-allowed clients in your network, port >1023, with the ACK bit set (sometimes the keyword is "established" on some firewalls). This makes it easy for internal/external hackers to install a tunnel through your firewall. The next point is, that packets, initiated from port 20 with ACK-bit set, are passed to the client machine. DoS attacks are possible. If you have dynamic stateful packet inspection, you are able to set up a dependency mask: only allow connections initiated from port 20 to port
1023 on the inside, if the client opened a control connection from a
port >1023 to the server address, port 21. Of course, this dependeny relies on a history timeout value. 5 minutes should be enough. An alternative is passive ftp: most clients, especially Web browsers, use it. The control connection is the same as with active ftp. However, the data connection is made from the client to the server as well! So you donĀ“t have to open incoming connections. If you have a firewall with Layer 4/5 capabilities, it will be able to capture the PORT command from the ftp control session to get the two port numbers for the data channel. Only connections between those ports will be allowed during this session. Kind Regards / Mit freundlichen Gruessen, -- Frank M. Heinzius MMS Communication AG mailto:frimp () mms de Eiffestrasse 598 http://www.mms.de 20537 Hamburg, Germany Phone: +49 40 211105-40 Fax: +49 40 210 32 210 -- spam forbidden -- -- PGP key available --
Current thread:
- inbound port 20 Kaptain (Jun 28)
- Re: inbound port 20 Frank Heinzius (Jun 29)
- Re: inbound port 20 Thorkild Stray (Jun 29)