[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

More spf questions (bug report?)

	I have implemented a packet filtering firewall based on spf, but I
am experiencing some problems with ftp, best explained by example:
1) I open an ftp connection (e.g. to ftp.kernel.org)
2) I set my client to passive mode
3) I begin transferring a large file (e.g. a kernel source tarball)
4) the transfer is initiated from me, therefore spf opens up a port for
the reply packets
5) the transfer lasts long enough for spf to timeout and close the channel 
for reply packets on the ftp control port
6) when the transfer is over, the ftp site cannot tell me that the
transfer is over, ftp hangs and waits until it times out and closes the

	A possible cure would be to simply set a static input rule letting 
through tcp packets with the SYN flag unset. This should be relatively
safe (and the default behaviour of non-debian spf, if I remember
correctly), but it would also let through some portscans. Any simple

Thanks in advance


Giacomo Mulas <gmulas@ca.astro.it, gmulas@tiscalinet.it, gmulas@eso.org>

OSSERVATORIO  ASTRONOMICO                                                
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222

"Outside of a dog, a book is a man's best friend
 Inside of a dog, it's too dark to read..."
              (Groucho Marx)

Reply to: