'Re: Active FTP from firewall doesn't work for some URLs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Active FTP from firewall doesn't work for some URLs
From:       Carson Gaspar <carson () taltos ! org>
Date:       2003-11-15 20:11:59
[Download RAW message or body]


--On Saturday, November 15, 2003 10:38 PM +0530 Ram Chandar 
<cnn_dinu01@sancharnet.in> wrote:

> For eg: these URLs doesn't work
>
> ftp://us-1.updates.f-prot.com/pub/fp-def.zip
> ftp://ftp.ora.com/pub/examples/nutshell/ujip/doc/cjk.inf
>
> Can anybody try these URLs from their IPF enabled firewalls
> and verify this problem?

Verified. The FTP servers are doing something I'm pretty sure is in 
violation of the RFC - passing multi-line responses to the client (I'll 
have to track down the umpteen FTP RFCs to be certain...), and ipfilter 
isn't handling it properly. Basically, they're doing:

230-text
	blah
	blah
	blah
230 Anonymous access granted, restrictions apply.

Instead of:
230-text
230-blah
230-blah
230-blah
230 Anonymous access granted, restrictions apply.

I caught this in ipnat -l:

        proxy ftp/6 use 2 flags 0
                proto 6 flags 0 bytes 1042 pkts 11 data YES size 384
        FTP Proxy:
                passok: 2
        Client:
                seq 80476c0 len 16 junk 0 cmds 1
                buf [USER anonymous\015\012\000]
        Server:
                seq 804777c len 76 junk 1 cmds 1
                buf [ \015\012 Email contact: ftp-admin@f-prot.com\015\012 
\015\
012220 FTP server ready.\015\012331 Anonymous login ok, send your complete 
email
 address as your password.\015\012rot.com/pub/\015\012 \015\000]

Followed by:

        proxy ftp/6 use 2 flags 0
                proto 6 flags 0 bytes 1673 pkts 20 data YES size 384
        FTP Proxy:
                passok: 2
        Client:
                seq 80476c0 len 10 junk 0 cmds 6
                buf [CWD /pub\015\012@\015\012s\015\012\000]
        Server:
                seq 804777c len 20 junk 0 cmds 4
                buf [200 Type set to I.\015\012irectory.\015\012estrictions 
appl
y.\015\012 server ready.\015\012331 Anonymous login ok, send your complete 
email
 address as your password.\015\012rot.com/pub/\015\012 \015\000]

The FTP proxy missed the 331 response, so it doesn't handle the PORT 
command.

It looks like this code should do the right thing, but clearly something is 
going wrong:

                while ((f->ftps_junk == 1) && (rptr < wptr)) {
                        while ((rptr < wptr) && (*rptr != '\r'))
                                rptr++;

                        if (*rptr == '\r') {
                                if (rptr + 1 < wptr) {
                                        if (*(rptr + 1) == '\n') {
                                                rptr += 2;
                                                f->ftps_junk = 0;
                                        } else
                                                rptr++;
                                } else
                                        break;
                        }
                }

-- 
Carson

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic