justxcom wrote:
>
> > > At some point, run the following command:
> > > /sbin/insmod ip_masq_ftp
> >
> > And in doing so, you open yourself up to the FTP ALG data channel
> > vulnerabilities resulting in anyone from the outside being able
> > to connect to any host and any port on the inside of the firewall.
>
> is it posible to connect to any port or just the 20 and 21 port for ftp
> and ftp-data port ?
> what is a usefull protection against this type of vulnerabilities, not
> including to close the ip_masq_ftp module ?
It is possible to connect to any port 0-65535. Or, if the application
layer filter is slightly smarter, only 1024-65535, which is bad
enough. (To my knowledge, ip_masq_ftp allowed any port when these
exploits surfaced. It may have changed, but I doubt it.)
There is no way to stop all variants of the FTP ALG data channel
exploits if you want active mode FTP to work from your protected
clients.
Period.
If you want to be "safe", don't use ip_masq_ftp or anything else
that enables active mode FTP from your protected clients.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
