[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch for gss ftp client to work through stateful firewalls



Thanks for the correction.

I put into proftpd an option AllowFWCCC and AllowCCC. With AllowFWCCC  only
PORT and PASV commands are accepted in clear, so no other command can be
injected (The stateful firewall will control the correctness of
source/destination addresses) . This patch is done for setups where a
(secure) ftp dropbox is located in a DMZ (third leg of a FW) and from
internal you allow gss ftp connection and from the Internet you use SSL
protected connections. This would allow a secure file transfer and
authentication (since the server doesn't need to connect to the kdc) from
the secure internal network to the DMZ.

Is this type of setup common ?
Don't  other  people  experience firewall problems ?

Thank you and Regards
Markus

----- Original Message ----- 
From: "Love" <lha@stacken.kth.se>
To: "Markus Moeller" <markus_moeller@compuserve.com>
Cc: <heimdal-discuss@sics.se>
Sent: Friday, April 25, 2003 10:16 PM
Subject: Re: Patch for gss ftp client to work through stateful firewalls


>
> "Markus Moeller" <markus_moeller@compuserve.com> writes:
>
> > I have a patch for the gss ftp client to work with my proftpd gss module
> > http://sourceforge.net/projects/gssmod/ which switches to CCC mode just
> > before sending the PORT/PASV/EPSV/EPRT command.
> > This allows stateful firewalls like Checkpoint to inspect the traffic.
You
> > can download it from
> > http://sourceforge.net/project/showfiles.php?group_id=70951.
> >
> > Any comments, suggestions are welcomed
>
> The patch doesn't take into consideration that signalhandlers might
> longjmp, and then the global variable sec_complete might be resetted to 0.
>
> Love
>