Re: [fw-wiz] Active to Passive FTP translator?

From: David Pick (d.m.pick@qmul.ac.uk)
Date: 11/26/02

• Next message: Mikael Olsson: "Re: [fw-wiz] Active to Passive FTP translator?"
• Previous message: Ng Pheng Siong: "Re: [fw-wiz] Inspecting routers"
• In reply to: Scott, Richard: "RE: [fw-wiz] Active to Passive FTP translator?"
• Next in thread: Mikael Olsson: "Re: [fw-wiz] Active to Passive FTP translator?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: firewall-wizards@honor.icsalabs.com
From: David Pick <d.m.pick@qmul.ac.uk>
Date: Tue Nov 26 10:57:01 2002

> I am just curious at the real threat of allowing non passive FTP connections
> from clients.

The biggest threat is that you lose the ability, with many
firewalls, of controlling a fair slice of incoming calls.

If you want to have a client that can call out in active
mode you have to have a firewall that allows the data calls
from the server(s) back to your client. These incoming calls
will be from the servers to a TCP port chosen dynamically
from a specific range that should be documented for the FTP
client; however, these ranges vary between clients and/or
the OS used to support the client. So you have to allow
incoming calls to a range of TCP port numbers and that may
leave you more or less vulnerable depending on your prior
knowledge of the FTP servers, &c, &c.

Active FTP with a firewall that is sensitive to the content
of the FTP control connection is as safe as you can readily
get. In fact, in these circumstances, it makes little
difference if you use active or passive FTP. Also (of course!)
the choice of client program makes a difference - a buggy
program will be less safe that a reliable one!

-- 
	David Pick

---

• Next message: Mikael Olsson: "Re: [fw-wiz] Active to Passive FTP translator?"
• Previous message: Ng Pheng Siong: "Re: [fw-wiz] Inspecting routers"
• In reply to: Scott, Richard: "RE: [fw-wiz] Active to Passive FTP translator?"
• Next in thread: Mikael Olsson: "Re: [fw-wiz] Active to Passive FTP translator?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: SBS 2003 Premium: how to allow FTP .EXE downloads ... Disable the problematic client XP firewall, ... click to check the "Hide All Microsoft Services" ... Is the FTP server on SBS? ... Download the file from the following URL: ... (microsoft.public.windows.server.sbs) Re: Telnet/ftp problems SBS2000 ... | through the server to get internet access everything works. ... | client uses an internet backup company to backup his really vital data, ... I understand that you cannot use ftp service to ... the connection can be established ... (microsoft.public.windows.server.sbs) Directory Traversal Vulnerabilities in FTP Clients ... Vendors informed individually and through CERT/CC ... FTP clients, including those that may be embedded in web clients, can ... filename that the client requests. ... or the associated CERT vulnerability ... (Bugtraq) [VulnWatch] Directory Traversal Vulnerabilities in FTP Clients ... Vendors informed individually and through CERT/CC ... FTP clients, including those that may be embedded in web clients, can ... filename that the client requests. ... or the associated CERT vulnerability ... (VulnWatch) [NEWS] Directory Traversal Vulnerabilities in FTP Clients ... vulnerable to certain directory traversal attacks by modified FTP servers. ... file/directory permissions and the privilege level of the client. ... A malicious server could potentially overwrite key files to cause a denial ... your vendor, or the associated CERT vulnerability note, if your product is ... (Securiteam)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Firewall-Wizards  > 2002-11