"FTP-ish"? There is actually valid reasons to use something like this.
Various purchased applications that we have utilize servers which accept an
initial IP/PORT. These "initial connection" servers validate the request and
then assign it off to another process which may be executing on another
system (load-balancing, for example). This "pass-off" requires opening
another connection. That information is done via a PORT command similar to
FTP. While this doesn't have concurrent command/data connections, it has a
similar logic.
If you are going to allow for centralized control and management while
allowing services to run on multiple systems, I'm not sure there is a clean
alternative. The big difference here is that the IP addresses and server
ports used are static and the reconnection is also validated. Hence, you
could consider this to be firewall friendly (sort of).
The big hack of FTP, in my opinion, isn't the command port and data port
arrangement. It is that there is a default SOURCE port for the data
connection (and, for that matter, as I understand it, a default destination
port but that's generally changed by the PORT command). The standard itself
admits that this is a poor situation. The other problem is that the client
initiates the connection of the command stream but the SERVER, by default,
initiates the connection of the data stream. This "back feed" messes up all
sorts of security models. For sites which only want their users to access
the Internet (and not have Internet users access them), its FTP which
prevents them from configuring their router to only allow "established"
packets back in. No other protocol that I know of requires this back-feed.
"PASV" seems to be a cleaner way (and is the way that the previously
mentioned applications work).
I agree that the safest way to handle this is to configure the firewall to
understand the PORT command and to open the port in that situation. Opening
up a range of high-ports isn't the best way to go.
> -----Original Message-----
> From: Al Potter [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, December 04, 2000 12:23 PM
> To: Samir Fahim
> Cc: [EMAIL PROTECTED]
> Subject: Re: Corba application using random ports
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Content-Type: text/plain; charset=us-ascii
>
>
> > This is a typical problem with all kind of client/server applications!
> > You have to allow tcp-high ports on your firewall!
>
>
> Thus, letting in the dragons....
>
> Actually, the RIGHT thing to do is:
>
> 1. Write protocols which don't behave this way or
>
> 2. Write a proxy or filter which monitors the data stream and opens /
> closes
> additional ports as necessary.
>
>
> This is "ftp-ish". The ftp control-port data-port lashup is an obsolete
> hack
> that all who firewall (coders, testers and administrators) are STILL
> living
> with. Why anyone would spec a protocol like this these days is beyond me.
>
>
>
> AL
> - --
> +--------------------------------------------------------------------+
> | Al Potter Manager, Network Security Labs |
> | apotter at-yay icsa ot-day net ICSA Labs |
> | (If the spambots learn piglatin...) |
> | PGP Key: 0x58C95451 http://www.icsa.net |
> | PGP Fingerprint: D3 1D BE 8C B5 DD 12 61 5A 4A 65 32 93 E5 D9 36 |
> +--------------------------------------------------------------------+
>
>
>
>
> >
> > Kind regards,
> >
> > Samir Fahim
> > ISE
> >
> > At 18:59 3/12/2000 -0000, Murugavel Balasubramaniam wrote:
> > >Hi
> > >
> > >I've a corba application, the server inside my companiy's internal
> network
> > and the client in one the agents' machine with Checkpoint FW-1 in
> > between.The client initiates a connection with the server to a fixed
> port
> > (14000), but then it talks to the client in different random ports.
> > Everything is working fine if I open all ports thru the firewall. I'm
> not
> > able to restrict the application to use only predetermined ports. I
> checked
> > all available documentations, manuals etc.
> > >Can this be solved by some settings or special rules in my fireall?
> (maybe
> > using the 'stateful' thing in FW-1??) Or is this to be handled only thru
> > the application?
> > >
> > >Thanks
> > >Samuel
> > >
> > >_____________________________________________________
> > >Chat with your friends as soon as they come online. Get Rediff Bol at
> > >http://bol.rediff.com
> > >
> > >Participate in crazy auctions at http://auctions.rediff.com/auctions/
> > >
> > >
> > >
> > >-
> > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> > >"unsubscribe firewalls" in the body of the message.]
> > >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (GNU/Linux)
> Comment: Exmh version 2.2 06/23/2000
>
> iQCVAwUBOivg+9uN3h5YyVRRAQIqFgP/ciIZh6EfJ2bK2ay9+kjGrF2jLzyOt5YH
> 5istMWVjo4j2gtD+aootAbOWuLKgXS4/CcDmBXVnGm9O3j/4mkhJPkM5OXSaZnTF
> XEXtZSr/Qz5pDZuPzKDCvO4Do7w4yMfOAWRGd69rvMGKYbKwMEzmVwov6/oPCSd8
> lxLzvKdEoRg=
> =93k/
> -----END PGP SIGNATURE-----
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
