Re: The dreaded "Alternatives to NFS" question

From: Barry Margolin (barmar_at_alum.mit.edu)
Date: 08/22/04 

Date: Sat, 21 Aug 2004 23:03:23 -0400

In article <cg8sn4$9oo$1@usenet.cso.niu.edu>,
 Neil W Rickert <rickert+nn@cs.niu.edu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> elvis@notatla.org.uk (all mail refused) writes:
> >I'm not very interested in whether the client uses port 20
> >as it proves so little.
>
> You should be interested. It is the server that uses port 20,
> not the client.
>
> The client opens a socket to listen (on a random port). It sends the
> PORT command to the server advising it of the port to use. Anyone
> doing packet sniffing could find that port and connect to it. The
> server connects back using source port 20. The client should not
> accept connections from source ports other than 20, as a protection
> against being sent bogus data.

But in practice I don't think most clients check this. Shouldn't the
client also check that the connection is coming from the FTP server
address, and isn't that likely to provide about the same level of
protection?

Years ago I managed firewalls that ran Gauntlet, which has user-mode
proxies for the popular protocols. Since the FTP proxy ran as an
ordinary user, it couldn't bind port 20 when establishing the data
connection. In the 3 or 4 years I was supporting these firewalls at
dozens of customer sites, I think this only caused a problem once. 

-- 
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

Relevant Pages

  • Re: callbacks in TAO
    ... most firewalls will allow you to poke a hole in it by port number and then redirect the request to some internal server with a given ... port and internal IP address. ... In this case the -ORBListenEndpoints command line argument is useful on the client side. ... client-to-server connection as its callback connection, but I would hope that bidirectional IIOP would work in this case...never ...
    (comp.object.corba)
  • Re: callbacks in TAO
    ... have you tried just specifying the port range on the client side ORB? ... The portspan option can be used tell the server to select any port from a narrow band, which allows a collection of servers to share a limited group of addresses. ... Part of the Bidir connection negotiation is the client supplies the callback address as an alias. ...
    (comp.object.corba)
  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)
  • Re: Passive means what during FTP?
    ... > server or the client that opens the data connection. ... the client tells the server what IP ... Vsftpd drops root after binding to port 21 entirely, ...
    (comp.os.linux.setup)
  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)