Vinod,
I was able to confirm this (iptables 1.2.11, kernel 2.6.9). The PORT command is indeed forwarded and unmangled, even if NAT is being used for the control session.
However, it appears that, while the PORT command is allowed and passed on to the server, the resulting "EXPECTING" connection (data channel) is not made available. So in that way the bounce attack is stopped. It appears, by glancing through the code, that this is the intended design.
But, this amounts to only disabling a bounce attack *through* the firewall. It does *not* restrict me from connecting to another device *behind* the firewall (or more specifically, to any host on the same side of the firewall as the server).
I think this has some significant security implications. I think you're right to raise the issue.
-dave
On Fri, 28 Jan 2005, Vinod Chandran wrote:
Hi,
I am currently using iptables 1.2.11 with the patch-o-matic patch applied.
Its documented that netfilter is patched to protect against FTP bounce attacks, when an invalid IP is given in the FTP PORT command.
I can detect the PORT command reaching the FTP server through the router( containing netfilter), even when I give an ivalid IP.
I would like to know whether the patch is not working or whether the patch is meant to not allow the resulting bounce attack, even with allowing the PORT command to pass through.
Thanks and Regards, Vinod C
