Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: inbound port 20

From: "Frank Heinzius" <frimp () mms de>
Date: Tue, 29 Jun 1999 10:04:48 +0200
Hi,

On 24 Jun 99, at 9:42, Kaptain wrote:


Hi all.  We are having a live update issue with Symantec because our
firewall blocks inbound port 20 and that is the response port that opens
to receive their file via ftp.  We are considering opening the port
permenantly or semi-permenantly to alleviate the problem.  Can anyone
point to any security issues that might be associated with this and/or any
precautions we should take if we open the port?  Thanks in advance for any
advice.


All data transferred during an active ftp-Session is transferred over a 
second connection. The problem is, that this connection is initiated from 
the server, port 20, to a destination port >1023 on your client machine.

It depends on the capabilities of your firewall:
If you have "normal" static packet filtering, you have to open 
connections from the Internet (tm), port 20, to all your ftp-allowed 
clients in your network, port >1023, with the ACK bit set (sometimes the 
keyword is "established" on some firewalls).
This makes it easy for internal/external hackers to install a tunnel 
through your firewall. The next point is, that packets, initiated from 
port 20 with ACK-bit set, are passed to the client machine. DoS attacks 
are possible.
If you have dynamic stateful packet inspection, you are able to set up a 
dependency mask: only allow connections initiated from port 20 to port 

1023 on the inside, if the client opened a control connection from a 

port >1023 to the server address, port 21. Of course, this dependeny 
relies on a history timeout value. 5 minutes should be enough.

An alternative is passive ftp: most clients, especially Web browsers, use 
it. The control connection is the same as with active ftp. However, the 
data connection is made from the client to the server as well! So you 
donĀ“t have to open incoming connections. If you have a firewall with 
Layer 4/5 capabilities, it will be able to capture the PORT command from 
the ftp control session to get the two port numbers for the data channel. 
Only connections between those ports will be allowed during this session.






Kind Regards / Mit freundlichen Gruessen,

--
Frank M. Heinzius               MMS Communication AG
mailto:frimp () mms de             Eiffestrasse 598
http://www.mms.de               20537 Hamburg, Germany
Phone: +49 40 211105-40         Fax: +49 40 210 32 210
-- spam forbidden --            -- PGP key available --
Previous By Date Next
Previous By Thread Next

Current thread: