ftp security patch

From kadlec@blackhole.kfki.hu Mon Sep 17 11:04:02 2001
Date: Tue, 5 Jun 2001 15:22:05 +0200 (CEST)
From: Jozsef Kadlecsik 
To: Rusty Russell 
Cc: netfilter-devel@lists.samba.org
Subject: Re: [PATCH] paranoid FTP conntrack/NAT 

On Tue, 5 Jun 2001, Rusty Russell wrote:

> In message  you write
> :
> > - ports requested by PORT/EPRT requests are opened up
> >   (expected) only if the FTP server accepts the requested
> >   port.
>
> 	Hmmm.  What are you trying to solve here?  If a server can
> fool a client into giving a PORT command, it can surely fake the
> response.

It's artistic: the goal is completeness :-). Why should the firewall open
up a port, when the server might refuse to accept it?

To make it clear: I'm not aware of any security hole in the current FTP
conntrack helper module. However it could be made more rigorous. In the
current conntrack/nat framework it might not count. But in the new
conntrack/nat code, in which a helper may create multiple expected
connections, a client could easily mount a DoS-like attack by
requesting new and new refused ports. (Of course it could be handled by a
per protocol limit of the expected connections.)

But why shouldn't the helper be made as strict as possible?