Date: Fri, 04 Aug 1995 09:19:37 -0500 From: William McVey - wam <wamcvey@fedex.com> To: Paul Traina <pst@freefall.cdrom.com> Cc: security@freefall.cdrom.com Subject: Re: FTP data port restrictions Message-ID: <199508041418.AA05932@gateway.fedex.com>
next in thread | raw e-mail | index | archive | help
Paul Traina wrote: >The basic idea here is that we leave 40000-44999 open, since no known >sane services reside there (yeah, sure...) at the firewalls, and can >therefore button down everything else. It's important for people to realize that allowing arbitrary connections into your inside network even if they are destined for these ranges is still not a safe thing to do. The problem is that although no *sane* services are running in this block of ports, we still have the problem of RPC dynamic port allocation, so for as far as we know nfsd or mountd could be running in this range. The feature of resticting port ranges may still be usefull for proxy services (since you know you aren't running any rpc services on your proxy host), but if a site's security depends on a screening router, I'd hate for people to get the idea that these ports are deemed "safe". -- William
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199508041418.AA05932>