RE: FTP Proxy

[Fernando Gont <fernando () gont com ar>]

At 08:29 30/01/2004 -0800, David Gillett wrote:

> > This requieres more processing in the firewall, though.
> > Because the PORT command must be "patched" in the stream, it
> > may be the
> > case that the firewall not only needs to recalculate TCP's
> > checksum, but
> > may have to "recalculate" the sequence numbers, too. (The
> > "patched" PORT
> > command might be longer or shorter than the original one).
>   Who said anything about PATCHING the PORT commands?

Sorry, I got hang thinking in the NAT.


> > It's probably more easy to configure the FTP server to use
> > some specified
> > port range (and thus allow incoming connections on only those
> > ports) than
> > configure *all* the clients that want to access your FTP site
> > in a similar way.
>   BUT that's not how PASV FTP works!  In PASV, the *CLIENT* picks a
> random port number,  and sends the server a PORT command that says "I'm
> about to connect to your port XXX, please bend over and drop your
> pants." The server doesn't get to say "Please only use ports YYY-ZZZ."

That's not the way PASV FTP works!

For passive FTP transfers, the client issues a *PASV* command. The server 
replies with an IP:port where it will listen for the client connection. And 
the client will connect to that IP:port, which has been specified by the 
*server*.

In active trasnfers, the client sends a *PORT* command telling the server 
on which IP:port it will listen for incoming connections. And the server 
will connect to that IP:port, which has been specified by the *client*.

Section 3.3 of RFC 959 says:

"     Negotiating Non-Default Data Ports:   The User-PI may specify a
      non-default user side data port with the PORT command. The
      User-PI may request the server side to identify a non-default
      server side data port with the PASV command.  "

Also from RFC 959:

"         PASSIVE (PASV)
            This command requests the server-DTP to "listen" on a data
            port (which is not its default data port) and to wait for a
            connection rather than initiate one upon receipt of a
            transfer command.  The response to this command includes the
            host and port address this server is listening on.
"

and also

"         DATA PORT (PORT)

            The argument is a HOST-PORT specification for the data port
            to be used in data connection.  There are defaults for both
            the user and server data ports, and under normal
            circumstances this command and its reply are not needed.  If
            this command is used, the argument is the concatenation of a
            32-bit internet host address and a 16-bit TCP port address.
            This address information is broken into 8-bit fields and the
            value of each field is transmitted as a decimal number (in
            character string representation).  The fields are separated
            by commas.  A port command would be:

               PORT h1,h2,h3,h4,p1,p2

            where h1 is the high order 8 bits of the internet host
            address.
"

As you see, in active transfer, the client *chooses* on which IP:port it 
will accept connections. In passive transfers, the server *chooses* on 
which port it will accept incoming connections.


>  > BTW, the FTP server was external to his organization, so...
> > why should *him* take the risk?
>   If I run an FTP server, must I assume *all* of the risk?  If so,
> I'm going to get really picky about who I trust to connect to it....

Unless you expect that all clients be configured to use passive transfers, yes.

Anyway, I don't think it's that risky....


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------