Firewall Wizards mailing list archives
Re: New ftp behavior
From: Wyllys Ingersoll <wyllys () reston ans net>
Date: Fri, 24 Oct 1997 08:40:17 -0400
The FTP problem described by Delmar might be corrected by having the FTP proxy on the clients firewall attempt to do a PASV (passive) mode connection to the ftp server. However this is not necessarily a better idea, because in passive mode, the server tells the client (in this case the FTP proxy requesting the file) what host and port to connect to in order to receive the actual data. If the server tells the proxy to connect to a different host, then a strictly written proxy might very well say "hmmm, thats not the place where I originally made the request, I'm going to report an error and forget it."
I have seen this with a Sidewinder firewall in particular. Probably happens with others as well if you are NATing and doing some passthru. The funny thing is that many HTTP firewalls normally won't complain about this type of activity when similar things occur with HTTP. [ie -- allow a request to one ip address, reply from another] I have often thought this to be a potential hole with some firewall implementations....but haven't taken the time to try to break it yet.
HTTP proxies don't suffer this problem because an HTTP transfer only ever involves a single connection to the server for every transaction. The HTTP proxy always initiates the connection to the web server, so there is no chance of it going to an unintended web site (unless someone has corrupted the DNS records, but that is another story). FTP is different because it involves 2 connections to the FTP server, one for the "control" connection, and a second one for doing tranferring the data between the proxy and the ftp server. -- Wyllys Ingersoll ANS Communications
Current thread:
- New ftp behavior dharris (Oct 23)
- Re: New ftp behavior Jyri Kaljundi (Oct 24)
- <Possible follow-ups>
- Re: New ftp behavior arager (Oct 23)
- Re: New ftp behavior Wyllys Ingersoll (Oct 24)
- Re: New ftp behavior Vern Paxson (Oct 23)
- New ftp behavior Petri Virkkula (Oct 27)
- Re: New ftp behavior David Aylesworth (Oct 27)
- RE: New ftp behavior Safier, Adam (GEIS) (Oct 27)
- Re: New ftp behavior Bernd Eckenfels (Oct 30)