Date: Thu, 11 Oct 2001 07:11:43 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Allen Landsidel <all@biosys.net> Cc: freebsd-security@FreeBSD.ORG, "Brock Kreiser" <root63@earthlink.net> Subject: Re: firewall Message-ID: <200110111411.f9BEBwm06821@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 11 Oct 2001 09:46:21 EDT." <5.1.0.14.0.20011011094352.00b022e8@rfnj.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <5.1.0.14.0.20011011094352.00b022e8@rfnj.org>, Allen Landsidel write s: > At 06:24 AM 10/11/2001 -0700, Cy Schubert - ITSD Open Systems Group wrote: > > >Having said all that, you will have to seriously open your firewall in > >order to make FTP work properly through your firewall. Even if you > >restrict your FTP clients to using PORT (active) FTP, people can still > >use an FTP bounce to map or even gain access to other hosts and ports > >behind the firewall through your FTP server. These are two of the > > Can I get something clarified here? Judging by the tone of that statement, > do you advocate using PORT over PASV? > No tone was intended. I've had the flu since Tuesday and am very crabby. :( PORT FTP should be used when the FTP server is protected by a firewall that does not support an FTP proxy. Passive FTP should be used when the client is protected by a firewall that does that support an FTP proxy. If both client and server are protected by firewalls that don't support FTP proxies, you're pretty much SOL. (There is a thread currently on the IP Filter mailing list about just this topic). > I agree standalone FTP has some pretty bad security implications, including > hijacked sessions and password sniffing.. but that's what we have ftp-only > users for. Passive mode I think is a far safer alternative than active > also, as far as blowing holes in your firewall goes. See my comments above. Passive FTP is safer for clients, PORT FTP is safer for servers, hence the dilemma. Who (server or client) sacrifices their protection provided by their firewall in order to make the FTP protocol work from behind opposing firewalls? The FTP protocol allows you to use an FTP server as a proxy to connect to a third FTP server. One can use this feature of the FTP protocol to connect to other servers behind the same firewall as an FTP server. It is conceivable that one could use an FTP server to connect to arbitrary ports or even servers behind the same firewall that protects the FTP server. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110111411.f9BEBwm06821>