Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Oct 2001 10:23:26 -0400
From:      Allen Landsidel <all@biosys.net>
To:        Rob Simmons <rsimmons@wlcg.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: firewall 
Message-ID:  <5.1.0.14.0.20011011101105.00b17e30@rfnj.org>
In-Reply-To: <20011011100410.G7007-100000@mail.wlcg.com>
References:  <5.1.0.14.0.20011011094352.00b022e8@rfnj.org>

next in thread | previous in thread | raw e-mail | index | archive | help
At 10:06 AM 10/11/2001 -0400, you wrote:


>Passive FTP requires a larger hole in the firewall than active does.  You
>must open port 21 as well as ports > 1024.  Not good.
>
>If you use ipfilter and are keeping state, you only need the one pass in
>rule for port 21.  The state tables take care of the rest.

Well, I've always considered PASV to be the safer of the two, although 
there is no good reason why.. with a PORT command, there is always the 
possibility (that you mentioned) that a malicious client could tell the 
server to connect to a port going god knows where, doing god knows what.. 
possibly doing some soft of mischief.  A PASV connection on the other hand 
doesn't require the server to connect out to some random unknown machine.. 
it just requires the random unknown machine to connect back to it on the 
port it says to.

PASV sounds more secure to me simply because it requires an active 
man-in-the-middle attack to exploit it in the way a PORT connection can be 
exploited by design.  I don't see a problem with leaving some random high 
port range open for ftp to use, assuming the ftpd is smart enough to grab 
that port before it advertises that it has it back to the client.

My only real problem with ftp at all is that it sends passwords in 
plaintext, and doesn't do any sort of authentication outside of this.  ftp 
in an ssh tunnel, or via ssl, is a reasonably solid alternative.. but then 
so is scp.  Problem is, nobody (meaning most people who dope around ftp 
sites) don't have any idea what any of this means.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011011101105.00b17e30>