Firewall Wizards mailing list archives
Re: New ftp behavior
From: Jyri Kaljundi <jk () stallion ee>
Date: Fri, 24 Oct 1997 14:29:58 +0300 (EET DST)
On Thu, 23 Oct 1997 dharris () kcp com wrote:
I checked the logs and discovered that, although the original ftp connection was made to xxx.xxx.xxx.yyy, the response was coming from xxx.xxx.xxx.zzz. The firewall very properly considered this an attempt to hijack an open port and closed the ftp transaction.
Usually this is a sign of a host with multiple IP-addresses. For example if you set up many IP-addresses on Solaris 2.6 (Intel or Sparc), it usually uses a round-robin kind of system to find an IP-address for the outgoing connection. So if you have 200 addresses defined, you will have different source address for every 200 times you try. This can be stopped by `ndd -set /dev/ip ip_enable_group_ifs 0` in /etc/rc2.d/S69inet, in which case the machine will always use the last virtual IP address. It is called interface groups, have a look at man ifconfig. Jyri Kaljundi jk () stallion ee AS Stallion Ltd http://www.stallion.ee/
Current thread:
- New ftp behavior dharris (Oct 23)
- Re: New ftp behavior Jyri Kaljundi (Oct 24)
- <Possible follow-ups>
- Re: New ftp behavior arager (Oct 23)
- Re: New ftp behavior Wyllys Ingersoll (Oct 24)
- Re: New ftp behavior Vern Paxson (Oct 23)
- New ftp behavior Petri Virkkula (Oct 27)
- Re: New ftp behavior David Aylesworth (Oct 27)
- RE: New ftp behavior Safier, Adam (GEIS) (Oct 27)
- Re: New ftp behavior Bernd Eckenfels (Oct 30)