Date: Mon, 06 Jul 1998 16:45:06 -0700 From: David Greenman <dg@root.com> To: rotel@indigo.ie Cc: "Allen Smith" <easmith@beatrice.rutgers.edu>, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question Message-ID: <199807062345.QAA15510@implode.root.com> In-Reply-To: Your message of "Mon, 06 Jul 1998 17:36:05 -0000." <199807061636.RAA00781@indigo.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
>On Jul 5, 2:17pm, David Greenman wrote: >> >> Passive FTP is initiated by the client and is not something that the server >> can enforce. Further, it does nothing to enhance security for the server - if >> anything, it actually reduces the security since you'd have to poke holes >> through any firewall to allow the client data connects. > >Well, the decision to enforce it is a matter of site policy, most >ftp clients support passive mode by now. I think you are missing what I'm saying. Again, I'm saying that the FTP client is the thing that initiates the passive mode (via the PASV command) - not the server and thus your suggestion to "just use passive FTP on the server" to get around needing privileged-port bind()s in the server is simply not an option. > As for the security, I'd >prefer to allow connects in to the ftp servers on ports I know it >will be listening on rather than having a machine inside the DMZ >initiating TCP connections; having said that, FreeBSD's ftp daemon >currently accepts connections on ports it is listening on from any >IP, in accordance with the FTP RFC, but this is inconsistenct with >the bahaviour of the PORT command in paranoid mode which will only >connect to the IP of the control channel peer. What do you think >of patching this? Are you talking about the data port listens that ftpd does when it is operating in passive mode? If so, then you're wrong - ftpd listens for the control channel IP address. As for non-passive FTP and the PORT command, the behavior of ftpd (that is, to do the connect to the address specified) is required in order to support FTP proxies and can't be changed without breaking that. Thus the "paranoid mode" is bogus and not only does it violate the RFC, but breaks functionality which many people find useful and necessary...in fact, thwarting their own attempts at improving security (admins don't uses FTP proxies just to make life more difficult for their users). -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807062345.QAA15510>