Re: fwtk and ftp from behind of fw-1

[vale () seclab com]

On Thu, Jul 16, 1998 at 05:44:14PM -0400, Rick Murphy wrote:
> At 02:33 PM 7/16/98 GMT, ark () eltex ru wrote:
> > I've noticed a strange problem: when i try to ftp from behind fw-1 to
> > fwtk ftp-gw (fw-1 is set up to allow all outgoing connections from that
> > machine), data connections hang. I've noticed the same thing does sometimes
> > happen if i connect to other ftp servers, bot only ftp-gw hangs constantly.
> >
> > fwtk 2.1 on freebsd 2.1.7.1+ipfilter 3.2.9, firewall-1 on NT (can't 
> > remember the version, it is not my firewall). ftp client is windoze'95
> > generic.
> >
> > Is it fwtk or fw-1 problem?
>
> Attempting to be vendor-neutral here -
> The FTP RFC specifies a default data port - port 20 - in the privileged
> range. The ftp-gw uses a random high-numbered port. FW1 will only work
> if the data port is the default port. (Old-time DEC folks will recognize
> this as a "mandatory default". If you don't think this has a nice
> ring to it, See figure 1.)
>
> You can fix this by binding the incoming socket in callback() to port
> 20.
>       -Rick

  right, ftp-gw as well as aftpd (mjr, too) doesn't bind ftp-data 
  connection to source port 20, thus making super-clever fw1's SPF
  unable to recognize the incoming connection.

  what's better RFC or insane priv ports trusting ? <GRIN>

  I had a similar problem, topology is simplified, that is:

                     Internet   
                        ||
                        ||
                        ||    service network
                        FW-1======================
                        ||              ||
                        ||              ||
                        ||              ||
                       LAN              FTP server (aftpd by mjr)

  Again, connection made to the server were okay, ftp-data
  connection hung.
  To fix that I did the following, (info gathered from a checkpoint
  tech bulletin, btw) :

  1.    recompilation of the server (aftpd.c, ftp-gw.c is similar)
        with fixed unprivileged ftp-data connection port 20000 (any
        port > 1024, thus avoiding running the server with root priv)

  2.    patching the base INSPECT code ($FWDIR/lib/base.def),
        BACKUP YOUR OLD base.def before doing that

        after line (line 462 in my base.def):

#define ftp_accept_port_clear
                                        \
                        ENTRY_TYPE(r_ctype) = CONN_TCP,
                                        \

        suppose ftp server IP address is 123.123.123.123 and fixed ftp-data
        port is 20000, you have to add:

                        set sr10 20000, \
                        dst=123.123.123.123 or set sr10 20, \

        and modify the next line from:

                        record <dst,20,src,sr1,ip_p> in accepted,

        into a new line as following:

                        record <dst,sr10,src,sr1,ip_p> in accepted,

   3.   save and compile the new database, good luck.

ciao.
.vale.
-- 
Valeriano Bedeschi
Intesis SECURITY LAB            Phone: +39-2-67156301
Via Settembrini, 35             Fax: +39-2-66981953
I-20124 Milano  ITALY           Email: vale () seclab com