On Sat, Oct 14, 2000 at 07:51:34PM -0400, Marcus J. Ranum wrote:
> Mordechai T. Abzug <[EMAIL PROTECTED]> writes:
[snip some discussion of the fact that Gauntlet likes to use anonymous
ports for data connections in the FTP proxy]
> > Looking through the manual, there's a way to change this
> Nope, there isn't; that feature is hard coded into the
> system. There's no code in the proxy to bind the privileged port,
> which would entail making the proxy run with privileges, or removing
> the privilege check from the underlying kernel.
At least with Gauntlet 5.0, ftp-gw has an attribute called data-port.
Setting it to 20 did successfully cause ftp-gw to bind to this port,
as evidenced by sniffer output. And I made the change without
restarting the proxy, which implies that it's running with privileges.
Were you involved with Gauntlet 5.0? Maybe NAI made some security
compromises to improve the featureset. Ow.
> It's a design that evolved from how the DEC SEAL's FTP proxy
> worked. A while before I coded that, I figured out FTP bouncing
> attacks and hypothesized that some ruserok() implementations might
> not check that the calling port was greater than, say, 100, and
> still in the privileged range. Anyhow, I decided that good FTP
> servers should not bind the privileged port, and further that
> proxies _especially_ shouldn't.
Hmm. I apparently have the option to disable this with recent
Gauntlet versions, but I don't want to if it's a security problem.
That said, our firewall isn't running any r* proxies, or any r*
clients, or ssh with rhost authentication, or any other protocol that
treats privileged source ports differently from non-priveleged (that I
can think of, anyway.) Would you consider this case to not be a
problem, or do you think I should take a hard line stance and insist
that the other firewall implement a workaround on their end?
Thanks, Marcus! [And thanks to William and mouss, too. :) ]
[posted, and mailed directly.]
--
Mordechai T. Abzug
[EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Linux red-sonja 2.4.0-test9-morty2 #4 Mon Oct 9 03:16:59 EDT 2000 i686 unknown
Everyone talks about apathy, but no one does anything about it.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
