Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: Update: Extending the FTP "ALG" vulnerability to any FTP clie nt
Date: Fri Mar 17 2000 - 10:44:17 CST

With Firewall-1 all ports defined in the /etc/services file will be denied
connections to during an ftp session. This is defined in the file base.def
as follows:
// ports which are dangerous to connect to
             ( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0,
              set sr12 p, set sr1 0, log bad_conn)

Firewall-1 does not differ between file transfers initiated from your
internal network or if you're having a public ftp server serving the
internet. This often causes problems with large file transfers, or when
transfering lots of files. Firewall administrators might of this reason
disable this function as described here:

Also Raptor Firewall has a similar setting in config.cf:
# This restricts ports rather less that allow_low_ports. Raptor strongly
# recommends that you do NOT enable this option.

I'm not sure about other firewalls, but they're likely to have similar

The basic line is: If you're having a public ftp server, you should put all
of it's listening ports >1023 in the /etc/services file of the firewall.

This might be difficult to check with many client pc's, and the ftp security
server might be a solution to protect them. Users will complain that some
ftp commands (quote) will not work anymore, but it's always security vs
functionality vs obscurity.


-----Original Message-----
From: Darren Reed [mailto:avalonCOOMBS.ANU.EDU.AU]
Sent: 15. mars 2000 12:43
Subject: Re: Update: Extending the FTP "ALG" vulnerability to any FTP


So the upshot of this is with FW-1, you're screwed until you
get the relevant fixes in place for ftp. With any proxy
based solution, you should only allow passive FTP.