Well it sort of works the same way on the E-ppliance 300, (Solaris 7
version of Gauntlet on Sun Netra t105).. (Appliance)
So Rick's assumption is correct, it still has that ability
/mark
At 08:00 AM 10/16/00 -0400, Rick Murphy wrote:
>At 01:49 AM 10/15/2000 -0400, Mordechai T. Abzug wrote:
>>At least with Gauntlet 5.0, ftp-gw has an attribute called data-port.
>>Setting it to 20 did successfully cause ftp-gw to bind to this port,
>>as evidenced by sniffer output. And I made the change without
>>restarting the proxy, which implies that it's running with privileges.
>>Were you involved with Gauntlet 5.0? Maybe NAI made some security
>>compromises to improve the featureset. Ow.
>
>The ability to set the outbound data port to 20 (or whatever) was added
>because as far as the customer was concerned, Gauntlet's FTP proxy was
>broken - you could FTP through the Firewall-1 system from outside the
>firewall OK; put the firewall in place and FTP failed. Checkpoint support
>said it was a Gauntlet bug, so we eventually gave up and added the option.
>We had similar problems with Checkpoint requiring all of the "PORT"
>command - including the line terminator - be in one TCP packet.
>
>I have to agree with Marcus that FTP is a fundamentally flawed protocol -
>see all the problems with trying various firewall implementations. As far
>as I know, however, none of Marcus' FTP proxies can be spoofed by hiding
>newlines in response strings.
>
>Gauntlet has the *ability* (as well as fwtk) to run most proxies unpriv'd.
>Only smap and smapd run that way by default. You can't do this with the
>FTP proxy if you're going to use port 20.
>Disclaimer on the above: I haven't seen Gauntlet since 4.0. This statement
>may no longer be true.
> -Rick (glad I'm not doing firewalls any longer)
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
