Re: [fw-wiz] OBSD reaction to CERT advisory

From: Daniel Hartmeier (daniel@benzedrine.cx)
Date: 10/10/02


From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Darren Reed <darrenr@reed.wattle.id.au>
Date: Thu Oct 10 14:56:30 2002

On Thu, Oct 10, 2002 at 11:45:48PM +1000, Darren Reed wrote:

> That brings me to another point, that was sorely missed in all the
> public material I've seen so far, except maybe by Sun (and in the
> wrong way) and that is you need a very special ftp daemon (i.e. not
> any of the vendor ones I have tried) before it will stand a chance
> of defeating IPFilter.

How about the NetBSD ftpd?

  $ telnet ftp.netbsd.org 21
  Trying 2001:4f8:4:b:2e0:81ff:fe21:6563...
  Connected to ftp.netbsd.org.
  Escape character is '^]'.
  220 ftp.netbsd.org FTP server (NetBSD-ftpd 20020615) ready.
  HELP 227 Entering Passive Mode (h1,h2,h3,h4,p1,p2)
  502 Unknown command 227 Entering Passive Mode (h1,h2,h3,h4,p1,p2).

ip_fil3.4.29/ip_ftp_pxy.c ippr_ftp_pasv() accepts that, when I tickle
the server to retransmit the "227 ..." part, no?

Daniel