----------
From: Dave Roberts[SMTP:djr @
saa-cons .
co .
uk]
Sent: Friday, June 21, 1996 6:53 AM
To: Darwin Martinez
Cc: firewalls @
GreatCircle .
COM
Subject: Re: ftp problem
On Thu, 20 Jun 1996, Darwin Martinez wrote:
> When I ftp to a site, FW-1 allows the ftp connect (21) but then blocks the
> return data (ftp-data 20?). My rulebase allows both ftp & ftp-data from the
> internal nets outward. I'm doing NAT. After i connect, i see the actions
You would need to allow incoming connection from the outside port 20, to
the inside port >1023 (probably excluding the X11 ports).
If you do this, then will you not be opening up potential source porting problems? Incoming TCP connections from port 20 on an attacking machine would make it through, no? Isn't the purpose behind PASV ftp specifically to stop this potential problem? Something to think about.
Alex F
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexf @
iss .
net
Marketing Specialist
Come visit the growing Vulnerability Database
http://www.iss.net
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Follow-Ups:
|
|
