The FTP port command thing was fixed, I don't know in what version.
I don't know what you mean by not recreating the upper
layers of data. The reason FTP requires special
handling is because of the way FTP works, not TCP.
All of TCP is not a special case, as FTP is. There
are a whole bunch of applications that work as
telnet-style TCP that one's SPF/proxy doesn't need to
have a clue about unless you want to do some
kind of filtering.
Ryan
---------- Previous Message ----------
To: mike.jones
cc: hagan, Ryan.Russell, sjg, firewalls
From: avalon @
coombs .
anu .
edu .
au (Darren Reed) @ smtp
Date: 06/10/97 12:31:41 AM
Subject: Re: Stateful Packet Filters vs. Proxies
In several reports, last year, it became apparent that Gauntlet (and
I suspect the FWTK) would not work with FW1 because the "PORT" command
was split over two packets (although this is now claimed to be fixed).
The point being, FW1 doesn't try to recreate the upper layers of data
properly, so anything which doesn't fit in one packet requiers them to
provide "special case handling". What they (and consumers) don't seem to
realise that all of TCP is a "special case". Consequently, thier entire
suite of TCP proxies could be considered to be "flawed".
If you're curious about "how", then look at the Linux FTP masquerade
code - it too looks for everything in one packet (when I last looked).
Darren
Follow-Ups:
|
|
