Firewall Wizards mailing list archives

Re: New ftp behavior

From: Jyri Kaljundi <jk () stallion ee>
Date: Fri, 24 Oct 1997 14:29:58 +0300 (EET DST)

On Thu, 23 Oct 1997 dharris () kcp com wrote:

I checked the logs and discovered that, although the original ftp 
connection was made to xxx.xxx.xxx.yyy, the response was coming from 
xxx.xxx.xxx.zzz.  The firewall very properly considered this an attempt to 
hijack an open port and closed the ftp transaction.


Usually this is a sign of a host with multiple IP-addresses. For example
if you set up many IP-addresses on Solaris 2.6 (Intel or Sparc), it
usually uses a round-robin kind of system to find an IP-address for the
outgoing connection. So if you have 200 addresses defined, you will have
different source address for every 200 times you try. This can be stopped
by `ndd -set /dev/ip ip_enable_group_ifs 0` in /etc/rc2.d/S69inet, in
which case the machine will always use the last virtual IP address. It is
called interface groups, have a look at man ifconfig. 

Jyri Kaljundi
jk () stallion ee
AS Stallion Ltd
http://www.stallion.ee/

Current thread:

New ftp behavior dharris (Oct 23)
- Re: New ftp behavior Jyri Kaljundi (Oct 24)
- <Possible follow-ups>
- Re: New ftp behavior arager (Oct 23)
  - Re: New ftp behavior Wyllys Ingersoll (Oct 24)
- Re: New ftp behavior Vern Paxson (Oct 23)
- New ftp behavior Petri Virkkula (Oct 27)
- Re: New ftp behavior David Aylesworth (Oct 27)
- RE: New ftp behavior Safier, Adam (GEIS) (Oct 27)
  - Re: New ftp behavior Bernd Eckenfels (Oct 30)