Firewall Wizards mailing list archives
RE: New ftp behavior
From: "Safier, Adam (GEIS)" <Adam.Safier () geis ge com>
Date: Mon, 27 Oct 1997 15:46:08 -0500
I've seen something similar happen when overloading IP addresses on the same machine interface. The system will accept incoming packets on either IP address but the reply packet is from the first (top) IP address in the routing table. This happens even if you have yyy and zzz on different subnets and overload the IP address on the gateway and make sure subnets match - the traffic originating on the server still goes out the first address in the stack. Best to get rid of the IP overloading on the server. You can also try to set a different priority on each IP subnet and aim them at different gateways. This is different from the problem where the FTP command connection is on one IP/port connection while FTP data is on another IP/Port pair. A poorly designed load balancing cluster might also be the culprit. PASV might help this, if it's supported. A more common FTP implementation from the server/cluster would be preferable or you can manually open ports on the firewall. With a stateful inspection firewall with a command language (FW-1) you could also try to code your own stateful FTP rule (my least favorite solution.) Adam --------------- Adam Safier, Network Engineering Security Consultant GE Information Services, Inc. 401 North Washington St., Rockville, Md. 20850 Ph: 301-340-5737 Internal: 8*273-5737 Fax: 301-340-4005 Adam.Safier () geis ge com http://www.geis.com I'm proud to live in a country where I can express my personal opinions. The opinions above may not be shared by my employer. ---------------
-----Original Message----- From: dharris () kcp com [SMTP:dharris () kcp com] Sent: Thursday, October 23, 1997 12:18 PM To: mbloomer () kcp com; sralstin () kcp com; firewall-wizards () nfr net; firewalls () GreatCircle COM Cc: cbailey () kcp com; dmchugh () kcp com Subject: New ftp behavior This one is new to me so I don't know what to do about it. I had a customer trying to use Netscape Navigator to download a file through an ftp:// URL on a Web page at a vendor site. They received the error FTP File Transfer Failed: The FTP request could not be completed because the server is responding in an insecure manner. I checked the logs and discovered that, although the original ftp connection was made to xxx.xxx.xxx.yyy, the response was coming from xxx.xxx.xxx.zzz. The firewall very properly considered this an attempt to hijack an open port and closed the ftp transaction. What causes the remote site to behave this way? It looks like the command portion of the ftp transaction is done with xxx.xxx.xxx.yyy while the data portion is done with xxx.xxx.xxx.zzz. Maybe this is done for load-sharing, but it sure doesn't get past MY firewall. Delmer
Current thread:
- New ftp behavior dharris (Oct 23)
- Re: New ftp behavior Jyri Kaljundi (Oct 24)
- <Possible follow-ups>
- Re: New ftp behavior arager (Oct 23)
- Re: New ftp behavior Wyllys Ingersoll (Oct 24)
- Re: New ftp behavior Vern Paxson (Oct 23)
- New ftp behavior Petri Virkkula (Oct 27)
- Re: New ftp behavior David Aylesworth (Oct 27)
- RE: New ftp behavior Safier, Adam (GEIS) (Oct 27)
- Re: New ftp behavior Bernd Eckenfels (Oct 30)