Mordechai T. Abzug <[EMAIL PROTECTED]> writes:
> In particular, checkpoint didn't like that gauntlet used
>anonymous ports for the data sockets instead of port 20.
In my opinion, a firewall that assumes FTP servers are
binding the privileged port are mis-implemented. As you've
noticed, doing so causes them to reject traffic from versions
of FTP servers and proxies that are actually better than
the "ordinary" ones!
> Looking
>through the manual, there's a way to change this
Nope, there isn't; that feature is hard coded into the
system. There's no code in the proxy to bind the
privileged port, which would entail making the proxy
run with privileges, or removing the privilege check
from the underlying kernel.
> -- but are there
>security implications? Why was it set differently to begin with?
It's a design that evolved from how the DEC SEAL's FTP
proxy worked. A while before I coded that, I figured out
FTP bouncing attacks and hypothesized that some ruserok()
implementations might not check that the calling port
was greater than, say, 100, and still in the privileged range.
Anyhow, I decided that good FTP servers should not bind
the privileged port, and further that proxies _especially_
shouldn't.
In other words, it's not a bug, it's a feature. :)
FTP is a fundamentally broken protocol. Back in those
days I was trying to fix it using proxies and whatnot. Now,
based on some of the stuff Michael is finding, I don't
even think it's worth fixing. It just needs to have a bullet
put through it. Someone needs to spearhead an RFC
deprecating FTP in favor of a suitable replacement like
SSH/SCP.
mjr.
---
Marcus J. Ranum Chief Technology Officer, Network Flight Recorder, Inc.
Work: http://www.nfr.net
Play: http://pubweb.nfr.net/~mjr
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
