Date: Tue, 7 Jul 1998 11:46:35 +0000 From: Niall Smart <rotel@indigo.ie> To: dg@root.com, rotel@indigo.ie Cc: "Allen Smith" <easmith@beatrice.rutgers.edu>, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question Message-ID: <199807071046.LAA00625@indigo.ie> In-Reply-To: David Greenman <dg@root.com> "Re: bsd securelevel patch question" (Jul 7, 12:17am)
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 7, 12:17am, David Greenman wrote: } Subject: Re: bsd securelevel patch question > > >> > As for the security, I'd > >> >prefer to allow connects in to the ftp servers on ports I know it > >> >will be listening on rather than having a machine inside the DMZ > >> >initiating TCP connections; having said that, FreeBSD's ftp daemon > >> >currently accepts connections on ports it is listening on from any > >> >IP, in accordance with the FTP RFC, but this is inconsistenct with > >> >the bahaviour of the PORT command in paranoid mode which will only > >> >connect to the IP of the control channel peer. What do you think > >> >of patching this? > >> > >> Are you talking about the data port listens that ftpd does when it is > >> operating in passive mode? If so, then you're wrong - ftpd listens for the > >> control channel IP address. > > > >No it doesn't; check dataconn() in ftpd.c, it simply accepts the > >connection after using select for timeout. The "authentication" > >for PORT occurs as part of parsing the PORT command in host_port in > >ftpcmd.y > > What does accept() have to do with how the socket is bind()ed? (Answer: > absolutely nothing) The bind() and listen() occur in the passive() function, > which very definately sets the ctrl_addr as the listen address. I'm talking about the addresses the ftpd will accept data channel connections from in paranoid (and passive) mode, not the address at which it listens for those connections, I thought you were too, from what you said above: "ftpd listens for the control channel IP address". In paranoid mode and active mode it will only connect the data channel to the control channel peer on a non-priviledged port. When in paranoid mode and passive mode it will accept data channel connections from any IP on any port. > I also don't > know what you're talking about regarding the PORT command in passive mode > since these are mutually exclusive. Yes I know; I was pointing out that there is no function which handles authentiction of the remote data channel peer in both the passive and active modes in paranoid mode. Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807071046.LAA00625>