Re: R: New ftp behavior

Mike Shaver (shavernetscape.com)
Sat, 08 Nov 1997 01:29:17 -0800

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Jyri Kaljundi: "Re: Additional TPC/IP stack"
• Previous message: Darren Reed: "Re: Facts, not Fiction"
• In reply to: Marcus J. Ranum: "Re: Facts, not Fiction"

Franco RUGGIERI wrote:
> help me understand: a firewall proxy should be alerted because an FTP
> server, right the one he just interrogated in PASV mode, replies by giving
> the port to which ask for data?
> *This* does look to me to be a poorly designed firewall (IMHO, of course).
> If a firewall, whose proxy requests a PASV FTP, cannot handle it...
> Please show me I'm wrong: I love to learn!

What happens if my FTP server returns port information which has your
trusting little client connect to port 23 of supersensitive.af.mil or
some such? I would think it reasonable of a firewall to require what it
believes to be `reasonable' behaviour on the part of an FTP server, etc.
(There were real attacks like this, involving I believe <IMG> tags which
directed the browser to the telnet port of all.net, back when that was
`grounds' for a nastygram to domain contacts, etc. Which side is the
victim of the attack depends on mens rea, I think.)

Enforcing a level of `correctness' beyond the requirements of the
application protocol is something for which people generally applaud
application proxies (please! no SPF debate!).

Mike

• Next message: Jyri Kaljundi: "Re: Additional TPC/IP stack"
• Previous message: Darren Reed: "Re: Facts, not Fiction"
• In reply to: Marcus J. Ranum: "Re: Facts, not Fiction"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:09:48 CDT