strange solution with ftplib and changed firewall rules
Andrew Bennetts
andrew-pythonlist at puzzling.org
Tue Feb 4 04:42:49 EST 2003
On Tue, Feb 04, 2003 at 01:15:57AM -0800, PiErre wrote:
> Andrew Bennetts <andrew-pythonlist at puzzling.org> wrote in message news:<mailman.1044019465.26635.python-list at python.org>...
> > On Fri, Jan 31, 2003 at 12:36:59AM -0800, PiErre wrote:
> [..snip RE: FTP firewall problems..]
> >
> > > Since it seems that quite all the firewalls in the world allows passive
> > > connections if any should I warn my customer that he could have
> > > a security problem?
> >
> > If you're using FTP, regardless of firewalls and active or passive mode, you
> > probably have a security problem, as it transmits everything, including
> > authentication details, in the clear.
> since it will soon become an anonymous ftp (ftpd on freebsd)
> that's not the main issue,
> but, if I don't go wrong (but I'm not a guru so, please, be patience),
> I read that in an active ftp session after the client connect to the
> server the server itself try to open a channel to the client to
> send/receive data;
Yes, that's basically correct. In fact, it opens a new connection back to
the client for every single transfer.
> if the ftp client is behind a firewall that is generally not allowed
> so normally a passive connection is preferred (and this can explain
> why
> passive connection is recently became the standard mode for ftplib):
Yep.
> after the client connect to
> the server then the server itself stands in a passive state waiting
> for the client to open the second channel for data transfer.
Yep.
> My situation is: the ftp client of my customer is behind his firewall
> whose "strange" policy allows the ftp server to open back the data
> channel
> to the ftp client (my python application).
> Is this a security issue for my customer firewall?
> Thanks again to all NG for you're support
So you're asking if active FTP working means that the client has a security
problem?
The answer is "possibly". It could well be that their firewall is smart
enough to understand FTP traffic, and is allowing only valid data
connections from the FTP server through to the client, but blocking other
access. It could be that their firewall isn't restricting what ports are
reachable on the client at all. Both could be a security problem, or not,
depending on the situation :)
If you're worried about their security, something like nmap is probably a
better diagnosis tool than FTP :)
-Andrew.
More information about the Python-list
mailing list