From owner-freebsd-security Sat Apr 1 20: 0:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id ABAD737B9A6 for ; Sat, 1 Apr 2000 20:00:11 -0800 (PST) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3+openldap/8.9.3) id UAA00960; Sat, 1 Apr 2000 20:08:28 -0800 (PST) Date: Sat, 1 Apr 2000 20:08:28 -0800 From: Andre Gironda To: James Wyatt Cc: Nate Williams , Andre Gironda , Jim Durham , freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules Message-ID: <20000401200828.B319@toaster.sun4c.net> References: <200004011856.LAA04865@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from James Wyatt on Sat, Apr 01, 2000 at 05:02:17PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, that's exactly it. Piercing firewalls is not always as simple as passive vs active ftp. Proxies are a great idea in most cases, although I think they're a bit restrictive. But then again, do you really want people using programs like httptunnel and creating a potential security problem? Have you seen http://www.detached.net/mailtunnel.html ? Guess that means that UUCP mail through a dial up connection isn't really that bad of an idea. Controlling what data is *really* going through your network is more complex than you think. Especially in this day and age. dre On Sat, Apr 01, 2000 at 05:02:17PM -0600, James Wyatt wrote: > On Sat, 1 Apr 2000, Nate Williams wrote: > > > export/setenv http_proxy! > > > > Huh? > > > > > of course, you have to find all of the distfiles manually, since only > > > about 4% of them have an http site to download the source from. > > > > That's irrelevant. You can still download *ALL* of them via > > passive-mode ftp. I have yet to find a site that didn't let me download > > with ftp in passive mode, so if you are *truly* interested in security, > > then you certainly don't want to open up so people can use active-mode > > ftp from behind your firewall. > > Andre said his was a special case and that "it works though, but i doubt > it's what you are looking for. i had to do this behind a firewall/proxy > architecture that did not allow ftp." > > I took it to mean "*he* *has* to use HTTP to fetch because his firewall > doesn't support *any* ftp" and that if there is some problem with active > FTP it might still work. - Jy@ -- This program has been brought to you by the language C and the number F. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message