Firewall Wizards mailing list archives
Re: fwtk and ftp from behind of fw-1
From: vale () seclab com
Date: Mon, 20 Jul 1998 15:10:06 +0200
On Thu, Jul 16, 1998 at 05:44:14PM -0400, Rick Murphy wrote:
At 02:33 PM 7/16/98 GMT, ark () eltex ru wrote:I've noticed a strange problem: when i try to ftp from behind fw-1 to fwtk ftp-gw (fw-1 is set up to allow all outgoing connections from that machine), data connections hang. I've noticed the same thing does sometimes happen if i connect to other ftp servers, bot only ftp-gw hangs constantly. fwtk 2.1 on freebsd 2.1.7.1+ipfilter 3.2.9, firewall-1 on NT (can't remember the version, it is not my firewall). ftp client is windoze'95 generic. Is it fwtk or fw-1 problem?Attempting to be vendor-neutral here - The FTP RFC specifies a default data port - port 20 - in the privileged range. The ftp-gw uses a random high-numbered port. FW1 will only work if the data port is the default port. (Old-time DEC folks will recognize this as a "mandatory default". If you don't think this has a nice ring to it, See figure 1.) You can fix this by binding the incoming socket in callback() to port 20. -Rick
right, ftp-gw as well as aftpd (mjr, too) doesn't bind ftp-data connection to source port 20, thus making super-clever fw1's SPF unable to recognize the incoming connection. what's better RFC or insane priv ports trusting ? <GRIN> I had a similar problem, topology is simplified, that is: Internet || || || service network FW-1====================== || || || || || || LAN FTP server (aftpd by mjr) Again, connection made to the server were okay, ftp-data connection hung. To fix that I did the following, (info gathered from a checkpoint tech bulletin, btw) : 1. recompilation of the server (aftpd.c, ftp-gw.c is similar) with fixed unprivileged ftp-data connection port 20000 (any port > 1024, thus avoiding running the server with root priv) 2. patching the base INSPECT code ($FWDIR/lib/base.def), BACKUP YOUR OLD base.def before doing that after line (line 462 in my base.def): #define ftp_accept_port_clear \ ENTRY_TYPE(r_ctype) = CONN_TCP, \ suppose ftp server IP address is 123.123.123.123 and fixed ftp-data port is 20000, you have to add: set sr10 20000, \ dst=123.123.123.123 or set sr10 20, \ and modify the next line from: record <dst,20,src,sr1,ip_p> in accepted, into a new line as following: record <dst,sr10,src,sr1,ip_p> in accepted, 3. save and compile the new database, good luck. ciao. .vale. -- Valeriano Bedeschi Intesis SECURITY LAB Phone: +39-2-67156301 Via Settembrini, 35 Fax: +39-2-66981953 I-20124 Milano ITALY Email: vale () seclab com
Current thread:
- fwtk and ftp from behind of fw-1 ark (Jul 17)
- Re: fwtk and ftp from behind of fw-1 Rick Murphy (Jul 17)
- Re: fwtk and ftp from behind of fw-1 Marcus J. Ranum (Jul 17)
- Message not available
- Re: fwtk and ftp from behind of fw-1 vale (Jul 20)
- Re: fwtk and ftp from behind of fw-1 Rick Murphy (Jul 17)
- <Possible follow-ups>
- Re: fwtk and ftp from behind of fw-1 youngk (Jul 17)
- Re: fwtk and ftp from behind of fw-1 Ryan Russell (Jul 19)