Firewall Wizards mailing list archives
Re: New ftp behavior
From: David Aylesworth <dave () tlogic com>
Date: Mon, 27 Oct 97 14:11:47 -0500
This is actually not in violation of the specs (RFC's 959 and 1123), otherwise PORT and PASV commands would not include an IP address with the port number. As several people mentioned, this behavior is all too common on the Internet (mostly from hosts with interface aliases). Our firewall (and I'm sure many of our competitors') supports enabling or disabling the enforcement of this restriction on a per-policy basis. We recommend that as customers find popular servers that exhibit this (mis)behavior, they add the servers address to a different firewall policy that does not enforce this address matching restriction. -Dave In article <199710231622.LAA24519 () nfr net>, Delmer wrote:
I checked the logs and discovered that, although the original ftp connection was made to xxx.xxx.xxx.yyy, the response was coming from xxx.xxx.xxx.zzz. The firewall very properly considered this an attempt to hijack an open port and closed the ftp transaction.
David Aylesworth Technologic, Inc david.aylesworth () tlogic com 770/522-0222 x228
Current thread:
- New ftp behavior dharris (Oct 23)
- Re: New ftp behavior Jyri Kaljundi (Oct 24)
- <Possible follow-ups>
- Re: New ftp behavior arager (Oct 23)
- Re: New ftp behavior Wyllys Ingersoll (Oct 24)
- Re: New ftp behavior Vern Paxson (Oct 23)
- New ftp behavior Petri Virkkula (Oct 27)
- Re: New ftp behavior David Aylesworth (Oct 27)
- RE: New ftp behavior Safier, Adam (GEIS) (Oct 27)
- Re: New ftp behavior Bernd Eckenfels (Oct 30)