[15697] in bugtraq
Re: ftpd: the advisory version
daemon@ATHENA.MIT.EDU (David Maxwell)
Mon Jul 10 02:32:56 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000708004621.B23125@fundy.ca>
Date: Sat, 8 Jul 2000 00:46:22 -0300
Reply-To: David Maxwell <david@FUNDY.CA>
From: David Maxwell <david@FUNDY.CA>
X-To: "D. J. Bernstein" <djb@CR.YP.TO>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000706182014.27509.qmail@cr.yp.to>; from D. J. Bernstein on
Thu, Jul 06, 2000 at 06:20:14PM -0000
On Thu, Jul 06, 2000 at 06:20:14PM -0000, D. J. Bernstein wrote:
> Why are you allowing PORT-style FTP through your firewall? See RFC 1579.
> Can I scan port 6000 on your hosts if I set my source port to 20?
>
> Netscape uses PASV. The OpenBSD ftp client uses PASV. The Linux ftp
> client uses PASV if you give it the -p option. Internet Explorer uses
> PASV. What makes you think that requiring PASV will noticeably increase
> the level of user annoyance at your firewall?
A noticable set of sites have ftp servers which don't support PASV.
I say 'noticable' because if you manage a site with a fair sized user
base and turn active ftp support off, it won't take long for someone
to ask why some address doesn't work anymore.
Active ftp can be supported while preventing host scanning by including
NAT, or state-aware rules in your firewall setup. (If your software
supports it.)
--
David Maxwell, david@vex.net|david@maxwell.net -->
Any sufficiently advanced Common Sense will seem like magic...
- me
