From owner-freebsd-security Thu Oct 11 6:45:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id 30F9737B403 for ; Thu, 11 Oct 2001 06:45:14 -0700 (PDT) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id 3121F1367E; Thu, 11 Oct 2001 09:44:26 +0000 (GMT) Message-Id: <5.1.0.14.0.20011011094352.00b022e8@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 11 Oct 2001 09:46:21 -0400 To: freebsd-security@FreeBSD.ORG, "Brock Kreiser" From: Allen Landsidel Subject: Re: firewall In-Reply-To: <200110111324.f9BDOvl06544@cwsys.cwsent.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:24 AM 10/11/2001 -0700, Cy Schubert - ITSD Open Systems Group wrote: >Having said all that, you will have to seriously open your firewall in >order to make FTP work properly through your firewall. Even if you >restrict your FTP clients to using PORT (active) FTP, people can still >use an FTP bounce to map or even gain access to other hosts and ports >behind the firewall through your FTP server. These are two of the Can I get something clarified here? Judging by the tone of that statement, do you advocate using PORT over PASV? I agree standalone FTP has some pretty bad security implications, including hijacked sessions and password sniffing.. but that's what we have ftp-only users for. Passive mode I think is a far safer alternative than active also, as far as blowing holes in your firewall goes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message