Problem with Inbound Passive FTP
This is a discussion on Problem with Inbound Passive FTP within the IPFilter forums, part of the System Security and Security Related category; Hi All, I am facing problems with inbound FTP.I have tried to analyze the code in ippr_ftp_process() and appr_fixseqack() ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-03-2007
|
|||
|
|||
Problem with Inbound Passive FTP
Hi All,
I am facing problems with inbound FTP.I have tried to analyze the code in ippr_ftp_process() and appr_fixseqack() and have failed to understand how passive ftp would work. Here is the description of my analysis. In case of inbound FTP, control command "Response: 227 Entering Passive Mode (x1,x2,x3,x4,p1,p2)" would be sent from the server to the client. i.e from LAN to WAN. The proxy would intercept the above command and modify is as below "Response: 227 Entering Passive Mode (y1,y2,y3,y4,p1,p2)" Let us say, that during the process of modifying the IP address in the control command above it has injected 3 bytes into the TCP stream. This will cause the aps_seqmin and aps_seqoff to be set by the appr_fixseqack() function which is called right after ippr_ftp_process(). The code snippet which does this is given below. [...] if (inc && (seq1 > aps->aps_seqmin[!sel])) { aps->aps_seqmin[sel] = seq1 + nlen - 1; aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc; if (ipf_proxy_debug > 7) printf("proxy seq set %d at %x to %d + %d\n", sel, aps->aps_seqmin[sel], aps->aps_seqoff[sel], inc); } [...] At this point aps_ackmin and aps_ackoff are 0. Now, say the client responds to this packet with an ack= seq1 + nlen. The ippr_ftp_process() function is dropping this packet. The code diagnoses this packet as being invalid because of the following reasons. In this case rv=0 (because its a redirect rule and rv=0 indicates inbound processing). The evaluation of seqoff and ackoff will result in 3 and 0 respectively. since ackoff is 0. The following checks fail in ippr_ftp_process() [....] if (ackoff == 0) { if (t->ftps_seq[0] == thack) ok = 1; else if (t->ftps_seq[1] == thack) { t->ftps_seq[0] = thack; ok = 1; } [....] The packet eventually gets dropped. I have a feeling that this code is not able to handle inbound passive FTP scenarios. All other scenarios work fine (outbound active, outbound passive,inbound active). Can someone enlighten me if i am missing something here. I can provide the ethereal traces and the console debug output with ippr_ftp_debug and ipf_proxy_debug set, if required. Thanks in advance for any help regards samba 
|
Linear Mode
