Date: Thu, 22 Jun 2000 09:59:54 -0500 (CDT) From: Dan Debertin <airboss@bitstream.net> To: freebsd-ipfw@freebsd.org Subject: Re: allowing passive ftp through ipfw Message-ID: <Pine.LNX.4.20.0006220956050.300-100000@dmitri.bitstream.net> In-Reply-To: <200006221351.e5MDpDN05578@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 22 Jun 2000, Cy Schubert - ITSD Open Systems Group wrote: > > I vehemently disagree. It is a high risk because an attacker can > connect to services running on ports >= 1024, e.g. Oracle. Even if > you're not running any services >= 1024, it is trivial to scan your > network to get a picture of what it looks like to plan a strategy of > attack. IMO too much risk. Provided you aren't running services >= 1024, it becomes quite a bit less trivial to scan if you set net.inet.tcp.blackhole=1 net.inet.udp.blackhole=1 > > I think that the FTP protocol, needs to be retired. It is old and not > firewall friendly. HTTP can do everything that anonymous FTP can do. > To replace regular FTP, use SSH. IMO the only place where the use of > FTP is acceptable is within the confines of one's own network. > That would be great if there were reasonably common, well-thought-out clieint software for SCP or SFTP even. The software is there, but compared to the great variety of FTP software out there, and the degree to which it makes FTP easy for the unititiated, asking non-computer-literate people to use SCP is too much. I agree with you on HTTP, though. ~Dan D. -- __________________________________________________________________ -- I am just an advertisement -- For a version -- Of myself. ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.20.0006220956050.300-100000>