Re: Update: Extending the FTP "ALG" vulnerability to any FTP clie nt

[Lars.Troen () MERKANTILDATA NO (Lars.Troen () MERKANTILDATA NO)]

With Firewall-1 all ports defined in the /etc/services file will be denied
connections to during an ftp session. This is defined in the file base.def
as follows:
// ports which are dangerous to connect to
#define NOTSERVER_TCP_PORT(p) {
      (not
          (
             ( p in tcp_services, set sr10 RCODE_TCP_SERV, set sr11 0,
              set sr12 p, set sr1 0, log bad_conn)
.....

Firewall-1 does not differ between file transfers initiated from your
internal network or if you're having a public ftp server serving the
internet. This often causes problems with large file transfers, or when
transfering lots of files. Firewall administrators might of this reason
disable this function as described here:
http://www.phoneboy.com/fw1/faq/0106.html

Also Raptor Firewall has a similar setting in config.cf:
# This restricts ports rather less that allow_low_ports. Raptor strongly
# recommends that you do NOT enable this option.
ftpd.allow_named_ports=NO

I'm not sure about other firewalls, but they're likely to have similar
funcionality.

The basic line is: If you're having a public ftp server, you should put all
of it's listening ports >1023 in the /etc/services file of the firewall.

This might be difficult to check with many client pc's, and the ftp security
server might be a solution to protect them. Users will complain that some
ftp commands (quote) will not work anymore, but it's always security vs
functionality vs obscurity.

Lars

-----Original Message-----
From: Darren Reed [mailto:avalon () COOMBS ANU EDU AU]
Sent: 15. mars 2000 12:43
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Update: Extending the FTP "ALG" vulnerability to any FTP
client

[SNIP]

So the upshot of this is with FW-1, you're screwed until you
get the relevant fixes in place for ftp.  With any proxy
based solution, you should only allow passive FTP.

Darren