Re: active ftp through firewall

• Previous message: phn_at_icke-reklam.ipsec.nu: "Re: active ftp through firewall"
• In reply to: jpd: "Re: active ftp through firewall"
• Next in thread: phn_at_icke-reklam.ipsec.nu: "Re: active ftp through firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 26 May 2004 12:31:31 -0400

In article <1085579857.16076@ente.ipberlin.com>,
 jpd <read_the_sig@do.not.spam.it> wrote:

> On 2004-05-20, Barry Margolin <barmar@alum.mit.edu> wrote:
> > In article <1085036311.748582@ente.ipberlin.com>,
> > jpd <read_the_sig@do.not.spam.it> wrote:
> >
> >> ["Followup-To:" header set to comp.security.unix.]
> >> On 2004-05-20, Barry Margolin <barmar@alum.mit.edu> wrote:
> >> > Firewalls are supposed to watch the traffic on the FTP command channel,
> >> > and notice when a PORT command goes through so that they can open up
> >> > that port for an inbound connection from the FTP server.
> >>
> >> And why do you suppose them to do so?
> >
> > Because it's important to support a heavily-used Internet application
> > protocol.
>
> It may be important to you, but that does not excuse assumption without
> checking. If you want your firewall to support protocol inspection (for
> _any_ protocol, no matter how heavily it is used) you'd better make
> sure your desired hardware or software supports that.

That implies that people who purchase firewalls are knowledgeable enough
about protocols that they know that this is something to look for. I
expect that 99% of Internet users would have no idea that this is a
desirable feature. And even if they did, how would they know whether a
particular firewall had it? It's not something that's advertised on the
box.

> What I'm saying is that you shouldn't simply suppose things but rather
> explicitly ask for features you want. You ASS-U-MEd, as certain people
> say, based upon personal preferences and I think that bad practice.

Perhaps "supposed" was a poor word -- I *expect* a full-featured
firewall to support FTP. Full-featured firewalls have been doing this
for years. Only a simple port filter has any excuse not to.

-- 
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

• Previous message: phn_at_icke-reklam.ipsec.nu: "Re: active ftp through firewall"
• In reply to: jpd: "Re: active ftp through firewall"
• Next in thread: phn_at_icke-reklam.ipsec.nu: "Re: active ftp through firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [fw-wiz] UNSUBSCRIBE ... (Paul D. Robertson) ... > fixup protocol icmp error ... >> isn't about the security properties of the control, ... errors in the firewall, configuration errors, and it then takes physical ... (Firewall-Wizards) Re: [fw-wiz] Secure Computing Sidewinder? ... We are moving off Sidewinder G2 solely because of the price. ... There are many different approaches to designing a firewall, ... thorough than most other "application proxy" firewalls, ... packet, tear it apart, inspects it, and then depending on the protocol it ... (Firewall-Wizards) Re: Natted IP ... > useful if one trys to tunnel an exploit of one protocol inside a second ... but the router "firewall" will block all unsolicited packets unles they are ... If you send some kind of tunneled packet wrapped inside, ... > run only with JS enabled with Java applets disabled. ... (alt.computer.security) Firewall that blocks NetBEUI etc. ... Personal firewall functionality is mostly oriented toward TCP/IP protocol. ... I have NT4WKS and we have advanced Microsoft network - they have some tool ... I have tried to audit them with netstat or TCPview to see all network ... (comp.security.firewalls) Re: Ports getting hammered? ... >>> If your Watchguard can't stop outbound traffic... ... >>> Would not the Windows XP firewall do exactly the same work? ... >> protocol analysis to see if protocols are being broken only a IDS ... > permitted ports and protocols. ... (comp.security.firewalls)