Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

R: New ftp behavior
From: "Franco RUGGIERI" <fruggieri () selfin net>
Date: Wed, 5 Nov 1997 16:37:16 +0100
Wyllys,
help me understand: a firewall proxy should be alerted because an FTP
server, right the one he just interrogated in PASV mode, replies by giving
the port to which ask for data?
*This* does look to me to be a poorly designed firewall (IMHO, of course).
If a firewall, whose proxy requests a PASV FTP, cannot handle it...
Please show me I'm wrong: I love to learn!

-------------------------------
Franco RUGGIERI
fruggieri () selfin net

----------

Da: Wyllys Ingersoll <wyllys () reston ans net>
A: firewall-wizards () nfr net
Oggetto: Re: New ftp behavior
Data: venerdì 24 ottobre 1997 13.40


The FTP problem described by Delmar might be corrected by 
having the FTP proxy on the clients firewall attempt to do
a PASV (passive) mode connection to the ftp server.  However
this is not necessarily a better idea, because in passive mode,
the server tells the client (in this case the FTP proxy requesting
the file) what host and port to connect to in order to receive
the actual data.  If the server tells the proxy to connect
to a different host, then a strictly written proxy might
very well say "hmmm, thats not the place where I originally
made the request, I'm going to report an error and forget it."



     I have seen this with a Sidewinder firewall in particular.

Probably 

     happens with others as well if you are NATing and doing some

passthru. 

     The funny thing is that many HTTP firewalls normally won't

complain 

     about this type of activity when similar things occur with HTTP.

[ie 

     -- allow a request to one ip address, reply from another]  I have 
     often thought this to be a potential hole with some firewall 
     implementations....but haven't taken the time to try to break it

yet.


HTTP proxies don't suffer this problem because an HTTP transfer only
ever involves a single connection to the server for every transaction.
The HTTP proxy always initiates the connection to the web server, so 
there is no chance of it going to an unintended web site (unless someone 
has corrupted the DNS records, but that is another story).  FTP
is different because it involves 2 connections to the FTP server,
one for the "control" connection, and a second one for doing 
tranferring the data between the proxy and the ftp server.

--
 Wyllys Ingersoll
 ANS Communications

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]