Problem with Inbound Passive FTP

Sun, 02 Sep 2007 23:02:48 -0700 

Hi All,
I am facing problems with inbound FTP.I have tried to analyze the code in ippr_ftp_process() and appr_fixseqack() and have failed to understand how passive ftp would work. Here is the description of my analysis. 

In case of inbound FTP, control command

"Response:  227 Entering Passive Mode (x1,x2,x3,x4,p1,p2)"


would be sent from the server to the client. i.e from LAN to WAN. The 
proxy would intercept the above command and modify is as below


"Response:  227 Entering Passive Mode (y1,y2,y3,y4,p1,p2)"


Let us say, that during the process of modifying the IP address in the 
control command above it has injected 3 bytes into the TCP stream. This 
will cause the  aps_seqmin  and aps_seqoff to be set by the 
appr_fixseqack() function which is called right after 
ippr_ftp_process(). The code snippet which does this

is given below.

[...]

  if (inc && (seq1 > aps->aps_seqmin[!sel])) {
          aps->aps_seqmin[sel] = seq1 + nlen - 1;
          aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc;
          if (ipf_proxy_debug > 7)
              printf("proxy seq set %d at %x to %d + %d\n",
                  sel, aps->aps_seqmin[sel],
                  aps->aps_seqoff[sel], inc);
      }

[...]

At this point aps_ackmin and aps_ackoff are 0.


Now, say the client responds to this packet with an ack= seq1 + nlen. 
The ippr_ftp_process() function is dropping this packet. The code 
diagnoses this packet

as being invalid because of the following reasons.


In this case rv=0 (because its a redirect rule and rv=0 indicates 
inbound processing). The evaluation of seqoff and ackoff will result in 
3 and 0 respectively. since

ackoff is 0. The following checks fail in ippr_ftp_process()

[....]

      if (ackoff == 0) {
          if (t->ftps_seq[0] == thack)
              ok = 1;
          else if (t->ftps_seq[1] == thack) {
              t->ftps_seq[0] = thack;
              ok = 1;
          }

[....]

The packet eventually gets dropped.


I have a feeling that this code is not able to handle inbound passive 
FTP scenarios. All other scenarios work fine (outbound active, outbound 
passive,inbound active).



Can someone enlighten me if  i am missing something here. I can provide 
the ethereal traces and the console debug output with  ippr_ftp_debug 
and  ipf_proxy_debug set, if required.


Thanks in advance for any help

regards
samba






















					Reply via email to