From owner-freebsd-security  Thu Oct 11  7:22:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from rfnj.org (rfnj.org [216.239.237.194])
	by hub.freebsd.org (Postfix) with ESMTP id 1F99637B403
	for <freebsd-security@FreeBSD.ORG>; Thu, 11 Oct 2001 07:22:13 -0700 (PDT)
Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200])
	by rfnj.org (Postfix) with ESMTP
	id 21B4D1367E; Thu, 11 Oct 2001 10:21:30 +0000 (GMT)
Message-Id: <5.1.0.14.0.20011011101105.00b17e30@rfnj.org>
X-Sender: asym@rfnj.org
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Thu, 11 Oct 2001 10:23:26 -0400
To: Rob Simmons <rsimmons@wlcg.com>
From: Allen Landsidel <all@biosys.net>
Subject: Re: firewall 
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <20011011100410.G7007-100000@mail.wlcg.com>
References: <5.1.0.14.0.20011011094352.00b022e8@rfnj.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 10:06 AM 10/11/2001 -0400, you wrote:


>Passive FTP requires a larger hole in the firewall than active does.  You
>must open port 21 as well as ports > 1024.  Not good.
>
>If you use ipfilter and are keeping state, you only need the one pass in
>rule for port 21.  The state tables take care of the rest.

Well, I've always considered PASV to be the safer of the two, although 
there is no good reason why.. with a PORT command, there is always the 
possibility (that you mentioned) that a malicious client could tell the 
server to connect to a port going god knows where, doing god knows what.. 
possibly doing some soft of mischief.  A PASV connection on the other hand 
doesn't require the server to connect out to some random unknown machine.. 
it just requires the random unknown machine to connect back to it on the 
port it says to.

PASV sounds more secure to me simply because it requires an active 
man-in-the-middle attack to exploit it in the way a PORT connection can be 
exploited by design.  I don't see a problem with leaving some random high 
port range open for ftp to use, assuming the ftpd is smart enough to grab 
that port before it advertises that it has it back to the client.

My only real problem with ftp at all is that it sends passwords in 
plaintext, and doesn't do any sort of authentication outside of this.  ftp 
in an ssh tunnel, or via ssl, is a reasonably solid alternative.. but then 
so is scp.  Problem is, nobody (meaning most people who dope around ftp 
sites) don't have any idea what any of this means.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message