In some email I received from Daniel Hartmeier, sie wrote: > On Thu, Oct 10, 2002 at 11:45:48PM +1000, Darren Reed wrote: > > > That brings me to another point, that was sorely missed in all the > > public material I've seen so far, except maybe by Sun (and in the > > wrong way) and that is you need a very special ftp daemon (i.e. not > > any of the vendor ones I have tried) before it will stand a chance > > of defeating IPFilter. > > How about the NetBSD ftpd? > > $ telnet ftp.netbsd.org 21 > Trying 2001:4f8:4:b:2e0:81ff:fe21:6563... > Connected to ftp.netbsd.org. > Escape character is '^]'. > 220 ftp.netbsd.org FTP server (NetBSD-ftpd 20020615) ready. > HELP 227 Entering Passive Mode (h1,h2,h3,h4,p1,p2) > 502 Unknown command 227 Entering Passive Mode (h1,h2,h3,h4,p1,p2). > > ip_fil3.4.29/ip_ftp_pxy.c ippr_ftp_pasv() accepts that, when I tickle > the server to retransmit the "227 ..." part, no? From a trace when I was doing testing: ... Sep 2 01:35:38 openbsd /bsd: IN: 18 seq 44054f9b/0 ack a9/0 len 68 Sep 2 01:35:38 openbsd /bsd: sel 0 seqmin 0/0 offset 0/0 Sep 2 01:35:38 openbsd /bsd: sel 0 ackmin 0/0 offset 0/0 Sep 2 01:35:38 openbsd /bsd: rv 1 t:seq[0] a9 seq[1] a9 0/0 Sep 2 01:35:38 openbsd /bsd: ftps_seq[1] = 44054fdf inc 0 len 68 Sep 2 01:35:38 openbsd /bsd: appr_fixseqack: seq 44054f9b ack a9 Sep 2 01:35:38 openbsd /bsd: OUT: 10 seq a9/0 ack 44054f9f/0 len 0 Sep 2 01:35:38 openbsd /bsd: sel 0 seqmin 0/0 offset 0/0 Sep 2 01:35:38 openbsd /bsd: sel 0 ackmin 0/0 offset 0/0 Sep 2 01:35:38 openbsd /bsd: rv 0 t:seq[0] 44054f9b seq[1] 44054fdf 0/0 Sep 2 01:35:38 openbsd /bsd: not ok Sep 2 01:35:38 openbsd /bsd: proxy says bad packet received The FTP proxy in 3.4.29 does not support partial resending of segments (or at least did not appear to in my testing :-). RTFS. Darren _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 12:29:36 PDT