Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: R: New ftp behavior

R: New ftp behavior

From: Franco RUGGIERI <fruggieri_at_selfin.net>
Date: Wed, 5 Nov 1997 16:37:16 +0100

Wyllys,
help me understand: a firewall proxy should be alerted because an FTP
server, right the one he just interrogated in PASV mode, replies by giving
the port to which ask for data?
*This* does look to me to be a poorly designed firewall (IMHO, of course).
If a firewall, whose proxy requests a PASV FTP, cannot handle it...
Please show me I'm wrong: I love to learn!

-------------------------------
Franco RUGGIERI
fruggieri_at_selfin.net

----------
> Da: Wyllys Ingersoll <wyllys_at_reston.ans.net>
> A: firewall-wizards_at_nfr.net
> Oggetto: Re: New ftp behavior
> Data: venerd́ 24 ottobre 1997 13.40
>
>
> The FTP problem described by Delmar might be corrected by
> having the FTP proxy on the clients firewall attempt to do
> a PASV (passive) mode connection to the ftp server. However
> this is not necessarily a better idea, because in passive mode,
> the server tells the client (in this case the FTP proxy requesting
> the file) what host and port to connect to in order to receive
> the actual data. If the server tells the proxy to connect
> to a different host, then a strictly written proxy might
> very well say "hmmm, thats not the place where I originally
> made the request, I'm going to report an error and forget it."
>
>
> > I have seen this with a Sidewinder firewall in particular.
Probably
> > happens with others as well if you are NATing and doing some
passthru.
> > The funny thing is that many HTTP firewalls normally won't
complain
> > about this type of activity when similar things occur with HTTP.
[ie
> > -- allow a request to one ip address, reply from another] I have
> > often thought this to be a potential hole with some firewall
> > implementations....but haven't taken the time to try to break it
yet.
>
> HTTP proxies don't suffer this problem because an HTTP transfer only
> ever involves a single connection to the server for every transaction.
> The HTTP proxy always initiates the connection to the web server, so
> there is no chance of it going to an unintended web site (unless someone
> has corrupted the DNS records, but that is another story). FTP
> is different because it involves 2 connections to the FTP server,
> one for the "control" connection, and a second one for doing
> tranferring the data between the proxy and the ftp server.
>
> --
> Wyllys Ingersoll
> ANS Communications
Received on Nov 07 1997

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]