[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: Active FTP from firewall doesn't work for some URLs
From: Carson Gaspar <carson () taltos ! org>
Date: 2003-11-15 20:11:59
[Download RAW message or body]
--On Saturday, November 15, 2003 10:38 PM +0530 Ram Chandar
<cnn_dinu01@sancharnet.in> wrote:
> For eg: these URLs doesn't work
>
> ftp://us-1.updates.f-prot.com/pub/fp-def.zip
> ftp://ftp.ora.com/pub/examples/nutshell/ujip/doc/cjk.inf
>
> Can anybody try these URLs from their IPF enabled firewalls
> and verify this problem?
Verified. The FTP servers are doing something I'm pretty sure is in
violation of the RFC - passing multi-line responses to the client (I'll
have to track down the umpteen FTP RFCs to be certain...), and ipfilter
isn't handling it properly. Basically, they're doing:
230-text
blah
blah
blah
230 Anonymous access granted, restrictions apply.
Instead of:
230-text
230-blah
230-blah
230-blah
230 Anonymous access granted, restrictions apply.
I caught this in ipnat -l:
proxy ftp/6 use 2 flags 0
proto 6 flags 0 bytes 1042 pkts 11 data YES size 384
FTP Proxy:
passok: 2
Client:
seq 80476c0 len 16 junk 0 cmds 1
buf [USER anonymous\015\012\000]
Server:
seq 804777c len 76 junk 1 cmds 1
buf [ \015\012 Email contact: ftp-admin@f-prot.com\015\012
\015\
012220 FTP server ready.\015\012331 Anonymous login ok, send your complete
email
address as your password.\015\012rot.com/pub/\015\012 \015\000]
Followed by:
proxy ftp/6 use 2 flags 0
proto 6 flags 0 bytes 1673 pkts 20 data YES size 384
FTP Proxy:
passok: 2
Client:
seq 80476c0 len 10 junk 0 cmds 6
buf [CWD /pub\015\012@\015\012s\015\012\000]
Server:
seq 804777c len 20 junk 0 cmds 4
buf [200 Type set to I.\015\012irectory.\015\012estrictions
appl
y.\015\012 server ready.\015\012331 Anonymous login ok, send your complete
email
address as your password.\015\012rot.com/pub/\015\012 \015\000]
The FTP proxy missed the 331 response, so it doesn't handle the PORT
command.
It looks like this code should do the right thing, but clearly something is
going wrong:
while ((f->ftps_junk == 1) && (rptr < wptr)) {
while ((rptr < wptr) && (*rptr != '\r'))
rptr++;
if (*rptr == '\r') {
if (rptr + 1 < wptr) {
if (*(rptr + 1) == '\n') {
rptr += 2;
f->ftps_junk = 0;
} else
rptr++;
} else
break;
}
}
--
Carson
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic