active & passive ftp without opening everything

Discussion in 'LnS English Forum' started by Andreas1, Feb 11, 2003.

Thread Status:
Not open for further replies.
  1. Andreas1

    Andreas1 Security Expert

    Jan 29, 2003
    Mainz (Ger)
    Hi all,
    i have played around with ftp this evening and it is surely a bugger. Prb: Actually i'd like to be able to use my ftp client to connect to whatever server i like, regardless of whether it supports passive ftp or not. But, as i understand it,
    that freaky "data connection" forces me to open up just about everything. Okay, i can restrict it so that it's only active when certain apps are running, but as soon as my browser or my TrojanScanner are in the list, it's active almost all the time...

    Anyone having any idea - short of "connection tracking" like linux iptables does, i.e. parsing the ftp control dialogue and thus finding out which singular port to open each time?

    More detail:
    I have no problem establishing the control connection from localhost:arbitrary to arbitrary:21.
    But when the data connection is established, and i want to allow *both* active and passive, i have to cater with in- and outbound SYNs, in- and outbound SYNACKs, and in- and outbound ACK(PSH)s, all on arbitrary ports. (When I'm lucky, i can restrict inbound SYNs and outbound SYNACKs to remote port 20, but as i am browsing through my ftp client's server database, i find that not all servers adhere to the active ftp standard in this respect).
    So, that covers almost everything.


    Lots of thanks in advance,
Thread Status:
Not open for further replies.