FYI...
It's not from /etc/services that FW1 uses to match a service, FW-1 has an
internal database of predefined services many of which aren't in the
services file....
david grimes
> -----Original Message-----
> From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Friday, March 17, 2000 10:44 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Update: Extending the FTP "ALG" vulnerability to any FTP
> clie nt
>
>
> With Firewall-1 all ports defined in the /etc/services file will be denied
> connections to during an ftp session. This is defined in the file base.def
> as follows:
> // ports which are dangerous to connect to
> #define NOTSERVER_TCP_PORT(p) {
> (not
> (
> ( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0,
> set sr12 p, set sr1 0, log bad_conn)
> .....
>
> Firewall-1 does not differ between file transfers initiated from your
> internal network or if you're having a public ftp server serving the
> internet. This often causes problems with large file transfers, or when
> transfering lots of files. Firewall administrators might of this reason
> disable this function as described here:
> http://www.phoneboy.com/fw1/faq/0106.html
>
> Also Raptor Firewall has a similar setting in config.cf:
> # This restricts ports rather less that allow_low_ports. Raptor strongly
> # recommends that you do NOT enable this option.
> ftpd.allow_named_ports=NO
>
> I'm not sure about other firewalls, but they're likely to have similar
> funcionality.
>
> The basic line is: If you're having a public ftp server, you
> should put all
> of it's listening ports >1023 in the /etc/services file of the firewall.
>
> This might be difficult to check with many client pc's, and the
> ftp security
> server might be a solution to protect them. Users will complain that some
> ftp commands (quote) will not work anymore, but it's always security vs
> functionality vs obscurity.
>
> Lars
>
> -----Original Message-----
> From: Darren Reed [mailto:[EMAIL PROTECTED]]
> Sent: 15. mars 2000 12:43
> To: [EMAIL PROTECTED]
> Subject: Re: Update: Extending the FTP "ALG" vulnerability to any FTP
> client
>
> [SNIP]
>
> So the upshot of this is with FW-1, you're screwed until you
> get the relevant fixes in place for ftp. With any proxy
> based solution, you should only allow passive FTP.
>
> Darren
>
