Board index Unix Security

Firewall: Browser FTP versus plain FTP

Firewall: Browser FTP versus plain FTP

Post by Neal Rhode » Thu, 17 Sep 1998 04:00:00



We are running a plain packet filter, only allowing certain services.
We allow outbound 21 (ftp) and 20 either way. (ftpdata)  We have no
ftpd in our inetd.conf, so we don't care about inbound ftpdata.

With this setup a user can run the normal ftp client and get files
out on the internet.   When Netscape sees a page reference and it is
an ftp reference, it always hangs trying to download.

When I turned off the firewall, and looked real careful, I see extra
services being referenced.  For instance, try
        http://www.1soft.com/download.html
When you select to download something, it tries to open a much higher
service number, which seems to change at will:
        208.146.49.105:2045
Next time
        208.146.49.105:2047
Next day
        208.146.49.105:3048

My packet filter is blowing off these services, of course, so the FTP
fails.  

Is there any pattern to this?  Is there some convention I am missing?
Am I right in assuming some risk to allowing services 2000-3000 to
play through my firewall?
--

------------------------------------------------------------------------------
Neal Rhodes                       MNOP Ltd                     (770)-
972-5430
President                Lilburn (atlanta) GA 30247             Fax:
978-4741

                          http://www.mnopltd.com/

 
 
 
Top

Firewall: Browser FTP versus plain FTP

Post by Pascal Gieng » Thu, 17 Sep 1998 04:00:00



>We are running a plain packet filter, only allowing certain services.
>We allow outbound 21 (ftp) and 20 either way. (ftpdata)  We have no
>ftpd in our inetd.conf, so we don't care about inbound ftpdata.

>With this setup a user can run the normal ftp client and get files
>out on the internet.   When Netscape sees a page reference and it is
>an ftp reference, it always hangs trying to download.

>When I turned off the firewall, and looked real careful, I see extra
>services being referenced.  For instance, try
>    http://www.1soft.com/download.html
>When you select to download something, it tries to open a much higher
>service number, which seems to change at will:
>    208.146.49.105:2045

Netscape uses Passive FTP. Normally, when you open a ftp connection, you
connect to port 21 of the desired server. After that, your ftp client
issues a PORT command where it puts a port number and an IP, to which
the *SERVER* should connect to open the data connection.
With Passive FTP, the ftp client (here: netscape) uses the "PASV" command
and gets the reply from the server, to which port it should connect for
a data connection. You may also use PASV and PORT to initiate a data
connection between two servers to which you have a ftp control connection
open. This was the cause of a little security hole, if I remember right.

Due to this passive FTP, Netscape has to connect to a service port given
by the server. And this port is selected by the server without being
able to foresee his behaviour. It could be any TCP Port.

Passive ftp is good for things like NAT and Firewalls, because it is often
not possible for outer machines to connect to machines inside the firewall
(as an FTP Server would do in "normal" ftp). So you use passive ftp and
all connections are to the machine beyond the firewall.
You can't restrict ports for ftp. If you want to use ftp with your
firewall, install some sort of ftp proxy and give him access via the
firewall.

Pascal
--

http://pascal.znet.de/     Pascal Gienger         - is like a fish without

        http://echo.znet.de:8888/ echo \8888:ed.tenz.ohce\\:ptth

 
 
 
Top

Firewall: Browser FTP versus plain FTP

Post by Neal Rhode » Sat, 19 Sep 1998 04:00:00


So you are saying that My Local Netscape will request the
connection to the higher numbered port, so it is "safe" for my
firewall to allow outbound tcp connections higher than NNNN, where NNN
is 1500? 1000?



> >We are running a plain packet filter, only allowing certain services.
> >We allow outbound 21 (ftp) and 20 either way. (ftpdata)  We have no
> >ftpd in our inetd.conf, so we don't care about inbound ftpdata.

> >With this setup a user can run the normal ftp client and get files
> >out on the internet.   When Netscape sees a page reference and it is
> >an ftp reference, it always hangs trying to download.

> >When I turned off the firewall, and looked real careful, I see extra
> >services being referenced.  For instance, try
> >       http://www.1soft.com/download.html
> >When you select to download something, it tries to open a much higher
> >service number, which seems to change at will:
> >       208.146.49.105:2045

> Netscape uses Passive FTP. Normally, when you open a ftp connection, you
> connect to port 21 of the desired server. After that, your ftp client
> issues a PORT command where it puts a port number and an IP, to which
> the *SERVER* should connect to open the data connection.
> With Passive FTP, the ftp client (here: netscape) uses the "PASV" command
> and gets the reply from the server, to which port it should connect for
> a data connection. You may also use PASV and PORT to initiate a data
> connection between two servers to which you have a ftp control connection
> open. This was the cause of a little security hole, if I remember right.

> Due to this passive FTP, Netscape has to connect to a service port given
> by the server. And this port is selected by the server without being
> able to foresee his behaviour. It could be any TCP Port.

> Passive ftp is good for things like NAT and Firewalls, because it is often
> not possible for outer machines to connect to machines inside the firewall
> (as an FTP Server would do in "normal" ftp). So you use passive ftp and
> all connections are to the machine beyond the firewall.
> You can't restrict ports for ftp. If you want to use ftp with your
> firewall, install some sort of ftp proxy and give him access via the
> firewall.

> Pascal
> --

> http://pascal.znet.de/     Pascal Gienger         - is like a fish without

>         http://echo.znet.de:8888/ echo \8888:ed.tenz.ohce\\:ptth

--

------------------------------------------------------------------------------
Neal Rhodes                       MNOP Ltd                     (770)-
972-5430
President                Lilburn (atlanta) GA 30247             Fax:
978-4741

                          http://www.mnopltd.com/

 
 
 
Top

1. FTP client inside linux firewall communicating with FTP server inside another linux firewall

I am trying to use an Windows FTP client (BPFTP) behind a linux
firewall computer running ipchains and ipmasqadm portfw to communicate
with an Windows FTP server (War, G6, ServU) behind another linux
firewall set up more or less the same way. The server is on port 21,
but I have port fowarding on the linux box that redirects port 27015
to port 21 on the internal FTP server. I also forwarded port 20 on the
external firewall to port 20 on the internal computer with the FTP
server. I can communicate with the FTP server from outside the
firewall from an un-firewalled computer, but not using PASV. From the
FTP client inside the linux firewalled LAN I can connect, but do
nothing else. I'm sure someone in this group is very familiar with
this issue and can help me.

Any help will be appreciated. Thanks.

2. exist enscript for sun4?

3. FTP server behind linux firewall communicating w/ FTP behind linux firewall

4. Please Help, Forte C++ is killing me.

5. Web browser as FTP client: errors on my (solaris 2.4) FTP site

6. HEEEELLLP: startup scripts are not run, when rlogin'ing to machine (SuSE 7.2)

7. Help On FTP VIA HTTP -- Browser does not list ftp directory?

8. Unix-file-system API

9. Problem with ftp coming from internal Netscape browser through Firewall

10. ftp thru firewall from web browser

11. FTP server behind on firewall FTP client behind another

12. Can't FTP to a Masq-ed FTP server through Firewall

13. FTP - Client and FTP server behind firewalls


All times are UTC
Board index