From owner-freebsd-questions  Fri Oct 26 15:52:43 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from guru.mired.org (okc-65-31-203-60.mmcable.com [65.31.203.60])
	by hub.freebsd.org (Postfix) with SMTP id 92A9A37B405
	for <questions@FreeBSD.ORG>; Fri, 26 Oct 2001 15:52:40 -0700 (PDT)
Received: (qmail 61483 invoked by uid 100); 26 Oct 2001 22:52:40 -0000
From: Mike Meyer <mwm@mired.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15321.59704.119385.155815@guru.mired.org>
Date: Fri, 26 Oct 2001 17:52:40 -0500
To: "Patrick O'Reilly" <patrick@mip.co.za>
Cc: <questions@FreeBSD.ORG>
Subject: RE: ipfw rules for FTP - passive vs. active
In-Reply-To: <NDBBIMKICMDGDMNOOCAIIEEGDMAA.patrick@mip.co.za>
References: <15320.17295.222857.730255@guru.mired.org>
	<NDBBIMKICMDGDMNOOCAIIEEGDMAA.patrick@mip.co.za>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Patrick O'Reilly <patrick@mip.co.za> types:
> Mike,
> I have been using option (1) till now, but the pressure to back down is
> mounting.  I'll look into (2).  My FTP is not for general anonymous access.
> It is for exchange of data between trading partners, so I need to cater for
> "secure" connections with login and password controlling access to the
> server (don't laugh too loud please - I know FTPs "security" is, well, weak,
> but the users feel better knowing that they have given a password!).  Will
> HTTP cater for file up-and-down loads with user authentication?

That was already answered, but yes.

> I've tried pushing people to use scp (Putty's sister called pscp does a
> great job on Windoze platforms).  However, the resistance to change is
> mind-boggling! :(  And that resistance comes from the very same people who
> insist on having "secure" FTP logins and passwords.  Go figure!

That's my preferred solution. I'm not sure what it takes to configure
sshd to allow scp but no ssh, though.

One other option is to put the ftp server outside the firewall as a
dedicated box.  Since it's outside the firewall, everyone can reach it
with passive connection. This is basically the proxy solution, except
the extra work is on the users head instead of the admins head.
Possibly telling those users who don't like pscp that they can instead
shell out a few hundred for another server for this will encourage
them to change :-).

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Q: How do you make the gods laugh?		A: Tell them your plans.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message