Date: Thu, 11 Oct 2001 10:06:39 -0400 (EDT) From: Rob Simmons <rsimmons@wlcg.com> To: Allen Landsidel <all@biosys.net> Cc: <freebsd-security@FreeBSD.ORG>, Brock Kreiser <root63@earthlink.net> Subject: Re: firewall Message-ID: <20011011100410.G7007-100000@mail.wlcg.com> In-Reply-To: <5.1.0.14.0.20011011094352.00b022e8@rfnj.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Passive FTP requires a larger hole in the firewall than active does. You must open port 21 as well as ports > 1024. Not good. If you use ipfilter and are keeping state, you only need the one pass in rule for port 21. The state tables take care of the rest. Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 11 Oct 2001, Allen Landsidel wrote: > At 06:24 AM 10/11/2001 -0700, Cy Schubert - ITSD Open Systems Group wrote: > > >Having said all that, you will have to seriously open your firewall in > >order to make FTP work properly through your firewall. Even if you > >restrict your FTP clients to using PORT (active) FTP, people can still > >use an FTP bounce to map or even gain access to other hosts and ports > >behind the firewall through your FTP server. These are two of the > > Can I get something clarified here? Judging by the tone of that statement, > do you advocate using PORT over PASV? > > I agree standalone FTP has some pretty bad security implications, including > hijacked sessions and password sniffing.. but that's what we have ftp-only > users for. Passive mode I think is a far safer alternative than active > also, as far as blowing holes in your firewall goes. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7xadyv8Bofna59hYRA2v8AJ91pR1uuIAJmSTE1X6ZHye1996ugACfZHm+ kBgN+leHPSwRdNHGD+nd9f4= =gWqM -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011011100410.G7007-100000>