Re: ftp with squid 2

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 28 May 2000 14:07:37 +0200

Squid defaults to use what is usually called passive FTP. Passive FTP
connections originate from the client (i.e. Squid) with a "random"
source port to a "random" port assigned by the FTP server.

There are no FTP mode where connections are made from the client to port
20 on the server. In such mode connections are made from the server port
20 to a port on the client. (in this case server == FTP server, client
== Squid)

Note, blind packet filtering on only the port number allowing anything
with remote port 20 or 21 is no packet filter at all. All a hacker needs
to do to bypass your filter is to set the souce port, and your whole
network will be open for access. You cannot set up a reliable packet
filter for non-passive FTP clients unless the packet filter is a smart
one and can fully track the state of FTP sessions. I don't know of any
packet filters capable of doing this in all cases (not even CheckPoint
FW1).

--
Henrik Nordstrom
Squid hacker
ich_bin_nicht_ich@gmx.de wrote:
> 
> Hi,
> I am using 2.2.STABLE3 for i686-pc-linux-gnu on my linux box together with
> a packet filter. for ftp transactions the filter accepts connections from
> my box to an other machine to port 21 and 20. with ftp from command line its
> work quiet well but not when i using suid becaus squid do not use port 20
> for data but something >1024. how can i tell squid to use port 20 for ftp
> data?
> 
> thaks nils
> 
> --
> Sent through GMX FreeMail - http://www.gmx.net
Received on Sun May 28 2000 - 17:54:35 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:35 MST