[sclug] Re: Firewalls

lug at assursys.co.uk lug at assursys.co.uk
Sat Oct 25 09:05:32 UTC 2003 

On Wed, 15 Jan 2003, - - wrote:

> 
> For what its worth, and in danger of ranting..I apologise now. My take from 
> experience and the RFC's is below.
> 
> I would agree, having the IP address and port number in the FTP data payload 
> seems odd. But thinking about it logically, the only reasoning for this I 
> can think of is that the FTP control session must at some point publish the 
> IP address and TCP port number pairing for the FTP DATA session it will 
> support.  Where else can it do this other than the payload..?!!?!

That's not a problem, but it's probably fair to argue that the specific
problems are:

1) defaulting to non-PASV behaviour, requiring the server to establish
connections to the client.

2) sending commands in ASCII

3) sending numeric parameters unpadded (e.g. '1', rather than '001') which
causes problems with NAT.

> As we know the FTP control session uses one TCP port, the FTP data session 
> uses another, different port, 20 and 21.
> 
> The problem faced by NAT handling FTP data (its a similar problem faced by 
> ICMP sometimes too) is mitigated by using an ALG (application layer gateway) 
> alongside, or as part of your NAT/PAT system. it takes all responsiblity for 
> monitoring the FTP sessions and modifying their address, port, sequence 
> number and checksum values in the respective TCP and IP headers...it can 
> modify the NAT/PAT tables accordingly if necessary..but usually keeps its 
> own tables or tuples of any connections.

Apparently, it's planned that the NAT helper stuff in the kernel is going to
be moved to userland, so more correct (i.e. complex) handling of protocols
like FTP will be possible. ;-]

> Sorry if I am teaching anyone how to suck eggs....
> Ahoj, mejte se...
> Simon Young

Best Regards,
Alex.
-- 
Alex Butcher        Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK                        Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950                           <http://www.assursys.com/>

More information about the Sclug mailing list