>>>>> "Robert" == Robert MacDonald <[EMAIL PROTECTED]> writes:
Robert> Question. Do you force your customers to specify a port when they FTP
Robert> to/from you? I made not have mentioned it in the original post,
Robert> but we didn't want to force our customers into opening holes in their
Robert> firewalls &/or have to specify specific port numbers when FTPing to us.
Ummm... that's what the PORT command does. And it's required (unless you use
PASV). As for opening holes, that's not required, unless the customer has a
simple packet filter with no protocol knowledge (or a broken "advanced"
firewall like Firewall-1).
Robert> I did understand the RFC and yes I agree on your semantics above.
Robert> GEIS on the otherhand was randomly(their terminology) choosing a high
Robert> port to initiate the communications for the DATA channel. This is where
Robert> the firewall did it's job.
GEIS was correect. The source port for the data connection is not
defined. It can be _anything_. Most well-run FTP servers will choose a
random port, just as GEIS did. If your firewall can't handle that, replace
it with one that is properly written.
Robert> I am open to suggestions(firewall specific ;-) on how to
Robert> accomplish FTP and be more secure, while keeping it as simplistic as
Robert> possible for our customers.
If your customers are using broken firewalls (as opposed to your own
firewall being broken, which was what your first post implied), you have 3
choices:
- require your customers to fix their firewalls
- run your FTP server with root privs, and accept the risk
- run your FTP server on an OS that allows you to make port 20
non-priveledged (Solaris does, but prior to SunOS 5.8 the mechanism wasn't
very flexible)
FTP is a bedly designed protocol. It sucks. It makes security admins' lives
hell. And unfortunately, vendors like Checkpoint make it even worse, by
doing half-assed "inspection" that doesn't actually track protocol state.
--
Carson Gaspar -- [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
