More spf questions (bug report?)
I have implemented a packet filtering firewall based on spf, but I
am experiencing some problems with ftp, best explained by example:
1) I open an ftp connection (e.g. to ftp.kernel.org)
2) I set my client to passive mode
3) I begin transferring a large file (e.g. a kernel source tarball)
4) the transfer is initiated from me, therefore spf opens up a port for
the reply packets
5) the transfer lasts long enough for spf to timeout and close the channel
for reply packets on the ftp control port
6) when the transfer is over, the ftp site cannot tell me that the
transfer is over, ftp hangs and waits until it times out and closes the
connection.
A possible cure would be to simply set a static input rule letting
through tcp packets with the SYN flag unset. This should be relatively
safe (and the default behaviour of non-debian spf, if I remember
correctly), but it would also let through some portscans. Any simple
solutions?
Thanks in advance
Giacomo
________________________________________________________________________
Giacomo Mulas <gmulas@ca.astro.it, gmulas@tiscalinet.it, gmulas@eso.org>
________________________________________________________________________
OSSERVATORIO ASTRONOMICO
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)
Tel.: +39 070 71180 216 Fax : +39 070 71180 222
________________________________________________________________________
"Outside of a dog, a book is a man's best friend
Inside of a dog, it's too dark to read..."
(Groucho Marx)
________________________________________________________________________
Reply to: