Firewall Wizards mailing list archives
Re: R: New ftp behavior
From: Mike Shaver <shaver () netscape com>
Date: Sat, 08 Nov 1997 01:29:17 -0800
Franco RUGGIERI wrote:
help me understand: a firewall proxy should be alerted because an FTP server, right the one he just interrogated in PASV mode, replies by giving the port to which ask for data? *This* does look to me to be a poorly designed firewall (IMHO, of course). If a firewall, whose proxy requests a PASV FTP, cannot handle it... Please show me I'm wrong: I love to learn!
What happens if my FTP server returns port information which has your trusting little client connect to port 23 of supersensitive.af.mil or some such? I would think it reasonable of a firewall to require what it believes to be `reasonable' behaviour on the part of an FTP server, etc. (There were real attacks like this, involving I believe <IMG> tags which directed the browser to the telnet port of all.net, back when that was `grounds' for a nastygram to domain contacts, etc. Which side is the victim of the attack depends on mens rea, I think.) Enforcing a level of `correctness' beyond the requirements of the application protocol is something for which people generally applaud application proxies (please! no SPF debate!). Mike
Current thread:
- R: New ftp behavior Franco RUGGIERI (Nov 07)
- Re: R: New ftp behavior Mike Shaver (Nov 08)