[14364] in bugtraq
Re: Update: Extending the FTP "ALG" vulnerability to any FTP clie
daemon@ATHENA.MIT.EDU (David Grimes)
Tue Mar 21 00:48:03 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <005601bf9288$b5e40390$9e542bcf@cartman.ts.checkpoint.com>
Date: Mon, 20 Mar 2000 10:24:05 -0600
Reply-To: David Grimes <dgrimes@TS.CHECKPOINT.COM>
From: David Grimes <dgrimes@TS.CHECKPOINT.COM>
X-To: Lars.Troen@MERKANTILDATA.NO, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <51A8E31DE32DD211A0590008C71E7E4C5968DC@tro-03-msg.merkantildata.no>
FYI...
It's not from /etc/services that FW1 uses to match a service, FW-1 has an
internal database of predefined services many of which aren't in the
services file....
david grimes
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of
> Lars.Troen@MERKANTILDATA.NO
> Sent: Friday, March 17, 2000 10:44 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: Update: Extending the FTP "ALG" vulnerability to any FTP
> clie nt
>
>
> With Firewall-1 all ports defined in the /etc/services file will be denied
> connections to during an ftp session. This is defined in the file base.def
> as follows:
> // ports which are dangerous to connect to
> #define NOTSERVER_TCP_PORT(p) {
> (not
> (
> ( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0,
> set sr12 p, set sr1 0, log bad_conn)
> .....
>
> Firewall-1 does not differ between file transfers initiated from your
> internal network or if you're having a public ftp server serving the
> internet. This often causes problems with large file transfers, or when
> transfering lots of files. Firewall administrators might of this reason
> disable this function as described here:
> http://www.phoneboy.com/fw1/faq/0106.html
>
> Also Raptor Firewall has a similar setting in config.cf:
> # This restricts ports rather less that allow_low_ports. Raptor strongly
> # recommends that you do NOT enable this option.
> ftpd.allow_named_ports=NO
>
> I'm not sure about other firewalls, but they're likely to have similar
> funcionality.
>
> The basic line is: If you're having a public ftp server, you
> should put all
> of it's listening ports >1023 in the /etc/services file of the firewall.
>
> This might be difficult to check with many client pc's, and the
> ftp security
> server might be a solution to protect them. Users will complain that some
> ftp commands (quote) will not work anymore, but it's always security vs
> functionality vs obscurity.
>
> Lars
>
> -----Original Message-----
> From: Darren Reed [mailto:avalon@COOMBS.ANU.EDU.AU]
> Sent: 15. mars 2000 12:43
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: Update: Extending the FTP "ALG" vulnerability to any FTP
> client
>
> [SNIP]
>
> So the upshot of this is with FW-1, you're screwed until you
> get the relevant fixes in place for ftp. With any proxy
> based solution, you should only allow passive FTP.
>
> Darren
>
