Firewalls: Re: New ftp behavior

Firewalls
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: New ftp behavior
From:	carson @ tla . org
Date:	Fri, 24 Oct 1997 08:16:51 -0400 (EDT)
To:	dharris @ kcp . com
Cc:	mbloomer @ kcp . com, sralstin @ kcp . com, firewall-wizards @ nfr . net, firewalls @ GreatCircle . COM, cbailey @ kcp . com, dmchugh @ kcp . com
In-reply-to:	<199710231622 . LAA24519 @ nfr . net>
References:	<199710231622 . LAA24519 @ nfr . net>
Reply-to:	carson @ tla . org

>>>>> "dharris" == dharris  <dharris @
 kcp .
 com> writes:

dharris> I checked the logs and discovered that, although the original ftp 
dharris> connection was made to xxx.xxx.xxx.yyy, the response was coming from 
dharris> xxx.xxx.xxx.zzz.  The firewall very properly considered this an attempt to 
dharris> hijack an open port and closed the ftp transaction.

dharris> What causes the remote site to behave this way?  It looks like the command 
dharris> portion of the ftp transaction is done with xxx.xxx.xxx.yyy while the data 
dharris> portion is done with xxx.xxx.xxx.zzz. Maybe this is done for load-sharing, 
dharris> but it sure doesn't get past MY firewall.

Yup. Sounds like a Cisco LocalDirector (or some equally broken piece of
! @
 #$%). Anything that tries to do load balancing my munging IP addrs need to
be able to do everything a good NAT box does, including modifying the FTP
data stream. Unfortunately, lots of folks get it wrong. <sigh>

-- 
Carson Gaspar -- carson @
 cs .
 columbia .
 edu carson @
 tla .
 org carson @
 cugc .
 org
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body

Indexed By Date	Previous:	Online Success Direct E-Mail: Get Paid to Advertise! From: oss @ online-success . com
Indexed By Date	Next:	Re: Unlimited Users Firewalls From: "Billy Verreynne" <vslabs @ onwe . co . za>
Indexed By Thread	Previous:	Re: New ftp behavior From: Aleph One <aleph1 @ dfw . net>
Indexed By Thread	Next:	RE: New ftp behavior From: "Stackpole, Bill" <BSTACKPO @ sla . com>