Date: Thu, 11 Oct 2001 18:26:01 +0300 From: Peter Pentchev <roam@ringlet.net> To: Will Andrews <will@physics.purdue.edu> Cc: Rob Simmons <rsimmons@wlcg.com>, Allen Landsidel <all@biosys.net>, freebsd-security@FreeBSD.ORG, Brock Kreiser <root63@earthlink.net> Subject: Re: firewall Message-ID: <20011011182601.D6135@straylight.oblivion.bg> In-Reply-To: <20011011102432.B57251@squall.waterspout.com>; from will@physics.purdue.edu on Thu, Oct 11, 2001 at 10:24:32AM -0500 References: <5.1.0.14.0.20011011094352.00b022e8@rfnj.org> <20011011100410.G7007-100000@mail.wlcg.com> <20011011102432.B57251@squall.waterspout.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 11, 2001 at 10:24:32AM -0500, Will Andrews wrote: > On Thu, Oct 11, 2001 at 10:06:39AM -0400, Rob Simmons wrote: > > Passive FTP requires a larger hole in the firewall than active does. You > > must open port 21 as well as ports > 1024. Not good. > > > > If you use ipfilter and are keeping state, you only need the one pass in > > rule for port 21. The state tables take care of the rest. > > Er, you have that backwards. Passive FTP requires a SMALLER hole > because it doesn't require ports > 1024 like active does. I believe that they are discussing the case of a server being NAT'd. In that case, the NAT machine has to allow for connections to ports > 1024 on the server to allow PASV FTP to work. G'luck, Peter -- I am the thought you are now thinking. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011011182601.D6135>