Bugtraq mailing list archives

Re: ftpd: the advisory version

From: david () FUNDY CA (David Maxwell)
Date: Sat, 8 Jul 2000 00:46:22 -0300


On Thu, Jul 06, 2000 at 06:20:14PM -0000, D. J. Bernstein wrote:

Why are you allowing PORT-style FTP through your firewall? See RFC 1579.
Can I scan port 6000 on your hosts if I set my source port to 20?

Netscape uses PASV. The OpenBSD ftp client uses PASV. The Linux ftp
client uses PASV if you give it the -p option. Internet Explorer uses
PASV. What makes you think that requiring PASV will noticeably increase
the level of user annoyance at your firewall?


A noticable set of sites have ftp servers which don't support PASV.

I say 'noticable' because if you manage a site with a fair sized user
base and turn active ftp support off, it won't take long for someone
to ask why some address doesn't work anymore.

Active ftp can be supported while preventing host scanning by including
NAT, or state-aware rules in your firewall setup. (If your software
supports it.)

--
David Maxwell, david () vex net|david () maxwell net -->
Any sufficiently advanced Common Sense will seem like magic...
                                              - me

Current thread:

Re: ftpd: the advisory version Valdis Kletnieks (Jun 30)
- Re: ftpd: the advisory version Tom Perrine (Jul 02)
- Conclusion to recent working WuFTPD Exploits Eric Hines (Jul 05)
- <Possible follow-ups>
- Re: ftpd: the advisory version Carson Gaspar (Jun 30)
  - Re: ftpd: the advisory version Mike Gleason (Jul 02)
  - [RHSA-2000:016-03] Multiple local imwheel vulnerabilities bugzilla () REDHAT COM (Jul 03)
  - Re: ftpd: the advisory version monti (Jul 05)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
    - Re: ftpd: the advisory version monti (Jul 07)
    - Re: ftpd: the advisory version Mikael Olsson (Jul 07)
    - Re: ftpd: the advisory version David Maxwell (Jul 07)
    - Re: ftpd: the advisory version D. J. Bernstein (Jul 10)
    - Re: ftpd: the advisory version Richard Rager (Jul 11)
    - Infosec.20000712.worldclient.2.1 Rikard Carlsson (Jul 12)
    - ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed J C (Jul 10)
    - Novell Border Manger - Anyone can pose as an authenticated user Coward, Anonymous (Jul 07)
  - [RHSA-2000:042-01] BitchX denial of service vulnerability bugzilla () REDHAT COM (Jul 06)
- Re: ftpd: the advisory version Taneli Huuskonen (Jul 01)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 01)
- Re: ftpd: the advisory version Ron DuFresne (Jul 03)
- Re: ftpd: the advisory version Steven M. Bellovin (Jul 05)