At 01:49 AM 10/15/2000 -0400, Mordechai T. Abzug wrote:
>At least with Gauntlet 5.0, ftp-gw has an attribute called data-port.
>Setting it to 20 did successfully cause ftp-gw to bind to this port,
>as evidenced by sniffer output. And I made the change without
>restarting the proxy, which implies that it's running with privileges.
>Were you involved with Gauntlet 5.0? Maybe NAI made some security
>compromises to improve the featureset. Ow.
The ability to set the outbound data port to 20 (or whatever) was added
because as far as the customer was concerned, Gauntlet's FTP proxy was
broken - you could FTP through the Firewall-1 system from outside the
firewall OK; put the firewall in place and FTP failed. Checkpoint support
said it was a Gauntlet bug, so we eventually gave up and added the option.
We had similar problems with Checkpoint requiring all of the "PORT" command
- including the line terminator - be in one TCP packet.
I have to agree with Marcus that FTP is a fundamentally flawed protocol -
see all the problems with trying various firewall implementations. As far
as I know, however, none of Marcus' FTP proxies can be spoofed by hiding
newlines in response strings.
Gauntlet has the *ability* (as well as fwtk) to run most proxies unpriv'd.
Only smap and smapd run that way by default. You can't do this with the FTP
proxy if you're going to use port 20.
Disclaimer on the above: I haven't seen Gauntlet since 4.0. This statement
may no longer be true.
-Rick (glad I'm not doing firewalls any longer)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
