Firewalls: Re: Outgoing ftp and filters

Firewalls
(March 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Outgoing ftp and filters
From:	Carl Brown <carlb @ dfw . paranet . com>
Date:	Fri, 31 Mar 1995 17:09:48 -0600 (CST)
To:	Brent @ GreatCircle . COM (Brent Chapman)
Cc:	Firewalls @ GreatCircle . COM
In-reply-to:	<v02110158aba0fd28c70b @ [198 . 102 . 244 . 39]> from "Brent Chapman" at Mar 30, 95 10:41:56 pm

> >Also, how widely do the "main" public ftp servers support it?
> 
> I'm tempted to say "universally", but I'm sure there are exceptions.  If a
> server doesn't, people using the built-in FTP clients in WWW browsers like
> Mosaic and NetScape Navigator can't access the server; those clients are
> responsible for a pretty significant fraction of the activity on the
> Internet these days.

There are exceptions.  Texas A&M (where the Tiger and Drawbridge software
live - among others) is one.  I've run into a few others since I started 
using ncftp, which uses PASV.  If your ftp server is behind a packet 
filter, it is very inconvenient to try to set your packet filter up to
allow passive mode.  When the client issues a PASV command, the server
responds with a random port, which the client then connects to.  If you
want to let people do passive transfers from your machines, you have
to arrange it so that the port numbers given out by your internal
ftp servers are also allowed in by your packet filter (or you have a
packet-filter which can open dynamic holes after it sees a PASV response).

The failure mode of a PASV-implementing client is usually not pretty.
The packet filter drops the session on the floor and you get to wait
quite a while before it times out.  Some packet filters send back
ICMP unreachable messages (at least some versions of Ciscos do this),
which can cause the client to drop the entire session.

With many setups this can lead to really annoying random failures.  Assume
a site allows packets in that are destined for unprivileged ports (>1024) 
and not for privileged ones (like most configurations I've seen) so that
outgoing non-passive ftps work.  Then assume that an internal server
is being queried by an external client using PASV.  Everything is fine,
until the internal server picks a privileged random port, and then the 
connection will "mysteriously" hang.

I like the idea of PASV connections, it just seems like it's a lot more
"Friendly" to the client's firewall than it is to the server's, and I
really hate the random failure mode.  It confuses my users and is a 
pain to diagnose.  I wish there was a better way.

-Carl 
---
Carl Brown, carlb @
 dfw .
 paranet .
 com | "The only thing that is impossible
Network Analyst, PARANET          |  to do in UNIX is to figure out  
214/239-5544                      |  how to do certain things."

References:

Re: Outgoing ftp and filters
From: Brent @ GreatCircle . COM (Brent Chapman)

Indexed By Date	Previous:	Re: Encryption packages From: bmanning @ ISI . EDU
Indexed By Date	Next:	Re: protecting username/password across the unsecure net From: Alex Chartier <a5charti @ ashley . business . uwo . ca>
Indexed By Thread	Previous:	Re: Outgoing ftp and filters From: Mohamed Ellozy <ellozy @ netman-mel . dfci . harvard . edu>
Indexed By Thread	Next:	Re: Outgoing ftp and filters From: Brent @ GreatCircle . COM (Brent Chapman)