X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=0.5 required=5.0 	tests=AWL,BAYES_00,SARE_MSGID_LONG40,SPF_PASS
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
Date: Tue, 10 Mar 2009 15:21:08 -0500
Message-ID: <b60e0a230903101321m66daa447raeb2d8295d53b542@mail.gmail.com>
Subject: Re: UPDATE: Active FTP Issue with inetutils 1.5
From: "Curt Gran (crazykz)" <crazyst AT gmail DOT com>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

>I'm currently in the process of rebuilding all of "my" packages;
>inetutils is on the list and I'm making good progress plowing through
>that list. So, I should be able to get to it soon; most likely within
>the next week or two.
>
>Thank you for doing such a thorough job tracking this down. I saw your
>first message on this topic, and frankly I had no idea why the behavior
>changed from 1.3.x, nor if it was intentional upstream. Sergey was the
>right person to answer your quesstion, and I'm glad you followed thru on
>that.
>
>--
>Chuck

Thanks for the response.  The reason that I dug into this is that this
impacted the customers we service remotely.  We've also noticed the
certain implementations of Sonic firewalls create the same issue but
in their case they are proxying FTP more so than just passing it
though... I think.

This FTP issue also impacted access lists on Cisco routers and
probably others.  An access-list is dumb but has the ability to allow
the "ftp-data" port to come back through.  This is just a dumb access
list looking at the source or destination with port 20.  Firewalls
don't have this issue because the inspect the PORT command on the
control channel to allow the data connection back the "port"
specified.

Since we use inetutils ftpd and we have access lists in certain places
we've had to redo our access lists and do all the inspection of these
things at our firewalls.  If you think about  what this does on FTP is
you see an IP connecting to another IP and both are using high order
"random" ports.  That makes it almost impossible to implement any kind
of security without doing packet inspection.  We have customers that
may only have low end gear and use access lists so we're trying not to
impact our customers by this.

Anyway I thank you for your help and hope that you'll be able to have
a new fix for this soon.  I realize this is all on a voluntary basis
so I appreciate the effort on your end to maintain and port the code.
It's a great package.

Thanks,
Curt

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/