From owner-freebsd-ipfw Thu Jun 22 7:54:38 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from amazhan.bitstream.net (amazhan.bitstream.net [216.243.128.132]) by hub.freebsd.org (Postfix) with SMTP id 9372837B606 for ; Thu, 22 Jun 2000 07:54:35 -0700 (PDT) (envelope-from airboss@bitstream.net) Received: (qmail 17002 invoked by uid 79); 22 Jun 2000 14:54:34 -0000 Received: from dmitri.bitstream.net (206.144.236.191) by mail.bitstream.net with SMTP; 22 Jun 2000 14:54:34 -0000 Date: Thu, 22 Jun 2000 09:59:54 -0500 (CDT) From: Dan Debertin To: freebsd-ipfw@freebsd.org Subject: Re: allowing passive ftp through ipfw In-Reply-To: <200006221351.e5MDpDN05578@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 22 Jun 2000, Cy Schubert - ITSD Open Systems Group wrote: > > I vehemently disagree. It is a high risk because an attacker can > connect to services running on ports >= 1024, e.g. Oracle. Even if > you're not running any services >= 1024, it is trivial to scan your > network to get a picture of what it looks like to plan a strategy of > attack. IMO too much risk. Provided you aren't running services >= 1024, it becomes quite a bit less trivial to scan if you set net.inet.tcp.blackhole=1 net.inet.udp.blackhole=1 > > I think that the FTP protocol, needs to be retired. It is old and not > firewall friendly. HTTP can do everything that anonymous FTP can do. > To replace regular FTP, use SSH. IMO the only place where the use of > FTP is acceptable is within the confines of one's own network. > That would be great if there were reasonably common, well-thought-out clieint software for SCP or SFTP even. The software is there, but compared to the great variety of FTP software out there, and the degree to which it makes FTP easy for the unititiated, asking non-computer-literate people to use SCP is too much. I agree with you on HTTP, though. ~Dan D. -- __________________________________________________________________ -- I am just an advertisement -- For a version -- Of myself. ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message