Date: Thu, 11 Oct 2001 10:23:26 -0400 From: Allen Landsidel <all@biosys.net> To: Rob Simmons <rsimmons@wlcg.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: firewall Message-ID: <5.1.0.14.0.20011011101105.00b17e30@rfnj.org> In-Reply-To: <20011011100410.G7007-100000@mail.wlcg.com> References: <5.1.0.14.0.20011011094352.00b022e8@rfnj.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:06 AM 10/11/2001 -0400, you wrote: >Passive FTP requires a larger hole in the firewall than active does. You >must open port 21 as well as ports > 1024. Not good. > >If you use ipfilter and are keeping state, you only need the one pass in >rule for port 21. The state tables take care of the rest. Well, I've always considered PASV to be the safer of the two, although there is no good reason why.. with a PORT command, there is always the possibility (that you mentioned) that a malicious client could tell the server to connect to a port going god knows where, doing god knows what.. possibly doing some soft of mischief. A PASV connection on the other hand doesn't require the server to connect out to some random unknown machine.. it just requires the random unknown machine to connect back to it on the port it says to. PASV sounds more secure to me simply because it requires an active man-in-the-middle attack to exploit it in the way a PORT connection can be exploited by design. I don't see a problem with leaving some random high port range open for ftp to use, assuming the ftpd is smart enough to grab that port before it advertises that it has it back to the client. My only real problem with ftp at all is that it sends passwords in plaintext, and doesn't do any sort of authentication outside of this. ftp in an ssh tunnel, or via ssl, is a reasonably solid alternative.. but then so is scp. Problem is, nobody (meaning most people who dope around ftp sites) don't have any idea what any of this means. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011011101105.00b17e30>