From owner-freebsd-security Thu Oct 11 7:13:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 253D837B403 for ; Thu, 11 Oct 2001 07:13:19 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA12155; Thu, 11 Oct 2001 07:13:10 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda12153; Thu Oct 11 07:12:59 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f9BECiH51883; Thu, 11 Oct 2001 07:12:44 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdE51879; Thu Oct 11 07:11:58 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f9BEBwm06821; Thu, 11 Oct 2001 07:11:58 -0700 (PDT) Message-Id: <200110111411.f9BEBwm06821@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdLw6817; Thu Oct 11 07:11:43 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Allen Landsidel Cc: freebsd-security@FreeBSD.ORG, "Brock Kreiser" Subject: Re: firewall In-reply-to: Your message of "Thu, 11 Oct 2001 09:46:21 EDT." <5.1.0.14.0.20011011094352.00b022e8@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 11 Oct 2001 07:11:43 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <5.1.0.14.0.20011011094352.00b022e8@rfnj.org>, Allen Landsidel write s: > At 06:24 AM 10/11/2001 -0700, Cy Schubert - ITSD Open Systems Group wrote: > > >Having said all that, you will have to seriously open your firewall in > >order to make FTP work properly through your firewall. Even if you > >restrict your FTP clients to using PORT (active) FTP, people can still > >use an FTP bounce to map or even gain access to other hosts and ports > >behind the firewall through your FTP server. These are two of the > > Can I get something clarified here? Judging by the tone of that statement, > do you advocate using PORT over PASV? > No tone was intended. I've had the flu since Tuesday and am very crabby. :( PORT FTP should be used when the FTP server is protected by a firewall that does not support an FTP proxy. Passive FTP should be used when the client is protected by a firewall that does that support an FTP proxy. If both client and server are protected by firewalls that don't support FTP proxies, you're pretty much SOL. (There is a thread currently on the IP Filter mailing list about just this topic). > I agree standalone FTP has some pretty bad security implications, including > hijacked sessions and password sniffing.. but that's what we have ftp-only > users for. Passive mode I think is a far safer alternative than active > also, as far as blowing holes in your firewall goes. See my comments above. Passive FTP is safer for clients, PORT FTP is safer for servers, hence the dilemma. Who (server or client) sacrifices their protection provided by their firewall in order to make the FTP protocol work from behind opposing firewalls? The FTP protocol allows you to use an FTP server as a proxy to connect to a third FTP server. One can use this feature of the FTP protocol to connect to other servers behind the same firewall as an FTP server. It is conceivable that one could use an FTP server to connect to arbitrary ports or even servers behind the same firewall that protects the FTP server. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message