1. I've heard or read allusions to the fact that there are
difficulties in setting up FTP to work transparently
across a firewall. Why, under what circumstances is this a
problem (i.e., what firewall configuration), and specifically
what is the workaround?
You can find this in the archives on ftp.greatcircle.com, so I'll just
summarize briefly.
FTP uses a separate TCP connection to transfer the actual files you're
sending or receiving. This connection is set up as an *incoming* call
to the client from the server. Naturally, most firewalls don't permit
incoming calls to pass through them.
Application gateways can handle this with no problem. Circuit-level
gateways have to make provisions for client processes to create listening
sockets. For packet filters -- well, you could allow calls in to
high-numbered ports, but that's risky. Or you could modify your ftp
client to emit a PASV command instead of a PORT command for each transfer,
so that the data channel is an outgoing call. There are diff's in the
archives for that, and I'm writing an RFC on the subject.
2. What is the name of the CERT advisory recommending ports to
screen?
I don't know if it's an advisory. You can pick up the file
pub/tech_tips/packet_filtering from ftp.cert.org. I'm told that
it's going to be updated soon.
--Steve Bellovin
|
|
