> Am a bit confused (and after reading RFC959 & doing some experiments
> am even more so).
> AFAICA, the FTP process is as follows: The user initiates the FTP process
> by making a connection to port 21 of the FTP server from a UDP (user defined
> port which seems to be in the 3000 - 4000 range). When a file is requested
> (unless passive mode is used which not everyone supports) the FTP server
> (which is somewhere out on the net) establishes a connection using a PORT
> command to open a connection from its port 20 to the user's UDP+1 and this
> is the channel over which data is passed.
> This sounds like the Firewall must allow a socket to be opened from port
> 20 at a remote site to "some UDP" port internally.
> My question is "How can a firewall tell the difference between a legitemate
> FTP request initiated locally and an intruder attempting to connect to "some"
> internal port from the intruder's port 20 ?". Is it able to require a previous
> Port 21 connection (allow connection B only if connection A was previously
> made) ?
Yes, that can be a problem. I believe mjr @
com or someone on this
mailing list had modified ftp or ftpd to only do passive mode. This
would reverse where the connection is originateing from.
Christopher William Klaus <cklaus @
net> <iss @
Internet Security Systems, Inc. Computer Security Consulting
2209 Summit Place Drive, Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)998-5871.