Re: R: New ftp behavior

[Mike Shaver <shaver () netscape com>]

Franco RUGGIERI wrote:
> help me understand: a firewall proxy should be alerted because an FTP
> server, right the one he just interrogated in PASV mode, replies by giving
> the port to which ask for data?
> *This* does look to me to be a poorly designed firewall (IMHO, of course).
> If a firewall, whose proxy requests a PASV FTP, cannot handle it...
> Please show me I'm wrong: I love to learn!

What happens if my FTP server returns port information which has your
trusting little client connect to port 23 of supersensitive.af.mil or
some such?  I would think it reasonable of a firewall to require what it
believes to be `reasonable' behaviour on the part of an FTP server, etc.
(There were real attacks like this, involving I believe <IMG> tags which
directed the browser to the telnet port of all.net, back when that was
`grounds' for a nastygram to domain contacts, etc.  Which side is the
victim of the attack depends on mens rea, I think.)

Enforcing a level of `correctness' beyond the requirements of the
application protocol is something for which people generally applaud
application proxies (please! no SPF debate!).

Mike