Firewalls: Port 20

Firewalls
(August 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Port 20
From:	Kenneth Duda <kjd @ DSG . Stanford . EDU>
Date:	Tue, 2 Aug 1994 14:46:59 -0700
To:	padgett @ tccslr . dnet . mmc . com
Cc:	firewalls @ greatcircle . com
In-reply-to:	A. Padgett Peterson, P.E. Information Security's message of Tue, 2 Aug 94 15:36:47 -0400 <9408021936 . AA03718 @ uvs1 . orl . mmc . com>

>> From what I have been able to gather, the best solution is to allow
>> inward access from port 20 on a remote host only for "established"
>> connections (understanding this could be spoofed) and only to ports above
>> 1023. There is some additional vulnerability imposed and might want
>> to specify that only some subnets/clients/proxy hosts have permission to
>> do so.

What does it mean to allow inward access only for "established"
connections?  I thought the problem here is whether or not to allow
the remote host to establish a connection.

It seems very dangerous to me to allow inbound TCP from remote port 20
to inside port > 1023.  If I knew you were doing this, and some of
your users did xhost +, for example, I could connect to their X
servers (binding my socket to local port 20 before connecting) and
hose them.

Kenneth J. Duda                http://www-dsg.stanford.edu/KennethDuda.html
<kjd @
 cs .
 stanford .
 edu>          Stanford University Distributed Systems Group
415-723-9429                   Building 460  /  Stanford, CA 94305

References:

Port 20
From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)

Indexed By Date	Previous:	Port 20 From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Date	Next:	Re: Screening & routers From: Geoff Mulligan <mulligan @ future . Eng . Sun . COM>
Indexed By Thread	Previous:	Port 20 From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Thread	Next:	Re: Port 20 From: Greg Nenych <gnenych @ twogwn . canada . ncr . com>