Firewall Wizards mailing list archives
R: New ftp behavior
From: "Franco RUGGIERI" <fruggieri () selfin net>
Date: Wed, 5 Nov 1997 16:37:16 +0100
Wyllys, help me understand: a firewall proxy should be alerted because an FTP server, right the one he just interrogated in PASV mode, replies by giving the port to which ask for data? *This* does look to me to be a poorly designed firewall (IMHO, of course). If a firewall, whose proxy requests a PASV FTP, cannot handle it... Please show me I'm wrong: I love to learn! ------------------------------- Franco RUGGIERI fruggieri () selfin net ----------
Da: Wyllys Ingersoll <wyllys () reston ans net> A: firewall-wizards () nfr net Oggetto: Re: New ftp behavior Data: venerdì 24 ottobre 1997 13.40 The FTP problem described by Delmar might be corrected by having the FTP proxy on the clients firewall attempt to do a PASV (passive) mode connection to the ftp server. However this is not necessarily a better idea, because in passive mode, the server tells the client (in this case the FTP proxy requesting the file) what host and port to connect to in order to receive the actual data. If the server tells the proxy to connect to a different host, then a strictly written proxy might very well say "hmmm, thats not the place where I originally made the request, I'm going to report an error and forget it."I have seen this with a Sidewinder firewall in particular.
Probably
happens with others as well if you are NATing and doing some
passthru.
The funny thing is that many HTTP firewalls normally won't
complain
about this type of activity when similar things occur with HTTP.
[ie
-- allow a request to one ip address, reply from another] I have often thought this to be a potential hole with some firewall implementations....but haven't taken the time to try to break it
yet.
HTTP proxies don't suffer this problem because an HTTP transfer only ever involves a single connection to the server for every transaction. The HTTP proxy always initiates the connection to the web server, so there is no chance of it going to an unintended web site (unless someone has corrupted the DNS records, but that is another story). FTP is different because it involves 2 connections to the FTP server, one for the "control" connection, and a second one for doing tranferring the data between the proxy and the ftp server. -- Wyllys Ingersoll ANS Communications
Current thread:
- R: New ftp behavior Franco RUGGIERI (Nov 07)
- Re: R: New ftp behavior Mike Shaver (Nov 08)