Firewalls: Re: Various FTPs

Firewalls
(October 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Various FTPs
From:	wbunting @ ch . inri . com (Bill Bunting)
Date:	Mon, 16 Oct 1995 09:48:57 -0400
To:	sgcccdc @ citec . qld . gov . au (Colin Campbell), matt @ uts . EDU . AU (Jas)
Cc:	firewalls @ GreatCircle . COM

At 09:51 AM 10/16/95 EST, Colin Campbell wrote:
>Hi,
>
>My mailer thinks Jas said:
>> 
>> Scott Barman wrote this...
>> 
>> > On Thu, 12 Oct 1995 padgett @
 tccslr .
 dnet .
 mmc .
 com wrote:
>> 
>> >> I agree with Marcus concerning the probloms in FTP & possibly IPV6
>> >> will repair/replace it. For now I suspect that the answer is a
>> 
>> > I have been "observing" the output of the IETF for IPv6 and have seen
>> > nothing regarding changing ftp.  It seems their concerns are a larger
>> > address space and security.  I don't think I'm alone in my desire to see
>> > something replace it and, as Marcus Ranum said about himself in a previous
>> > note, I'm not "big" enough to try to force a change!
>> 
>> well why dont we put our collective heads together and make a firewall
>> friendly file transfer protocol? then we can have people write up the
>> code on different platforms (we have enough knowledge here for almost
>> every possible conceivable platform), and GPL the stuff. well? any
>> takers? myself personally im in.
>>  
>
>Why doesn't PASV do the trick?
>
>Colin
>
>

Here is a clip from an earlier posting of mine.  The problem is how to do
FTP when both sides require PASV as is the case with many firewalls.  (i.e.
firewall to firewall FTP is the problem)

<cut>
Internal users are allowed to use FTP to login to non firewall protected
sites using passive FTP.  However, in order to have an FTP session, one of
the two sides must allow arbitrary port connections.  If two firewall
protected sites want to talk FTP, one of the two sides must allow arbitrary
ports.  With our firewall, this is not allowed.

Here is what it looks like (To simplify, TIS fwtk proxy not shown):

Client tries passive mode...
   C-|----------21-control-connection---|-> S
   C-|---21---PASV Command--------------|-> S
   C-|------arbitrary-port-for-data---->|   S (blocked by server side firewall)

Client tries PORT command....
   C-|----------21-control-connection---|-> S
   C-|---21-PORT--Command---------------|-> S
   C |<------arbitrary-port-for-data----|-  S
    (blocked by Client side firewall)
</cut>

regards,
-Bill.
 --------------------------------------- 
|    Bill Bunting, Software Engineer    |     ******
|Inter-National Research Institute, Inc.|   ***_******_  __    _  
| 1441 Crossways Boulevard, Suite 102   |  ===//=/\**//=/- )==//=
|     Chesapeake, Virginia 23320        | {==//=//\\//=//||==//==
|    V(804)424-8675 F(804)420-4262      |  =//=//==\/*//=||=//===
|         (wbunting @
 inri .
 com)           |   *********  
|         (bunting @
 cs .
 odu .
 edu)          |     *****   
|    http://www.cs.odu.edu/~bunting     | 
 ---------------------------------------

Follow-Ups:

Re: Various FTPs
From: sgcccdc @ citec . qld . gov . au (Colin Campbell)

Indexed By Date	Previous:	Re: ARPWatch under FreeBSD From: John Capo <jc @ irbs . com>
Indexed By Date	Next:	Re: Firewall1 Comparison -Reply From: janken @ rust . net (Kenneth J. Stephens)
Indexed By Thread	Previous:	Re: Various FTPs From: Ken Hardy <ken @ bridge . com>
Indexed By Thread	Next:	Re: Various FTPs From: sgcccdc @ citec . qld . gov . au (Colin Campbell)