From owner-freebsd-security  Mon Jul  6 14:10:17 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA19023
          for freebsd-security-outgoing; Mon, 6 Jul 1998 14:10:17 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (root@ts01-62.waterford.indigo.ie [194.125.139.125])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA18919
          for <security@FreeBSD.ORG>; Mon, 6 Jul 1998 14:09:49 -0700 (PDT)
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id RAA00781;
	Mon, 6 Jul 1998 17:36:06 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199807061636.RAA00781@indigo.ie>
Date: Mon, 6 Jul 1998 17:36:05 +0000
In-Reply-To: David Greenman <dg@root.com>
       "Re: bsd securelevel patch question" (Jul  5,  2:17pm)
Reply-To: rotel@indigo.ie
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: dg@root.com, rotel@indigo.ie
Subject: Re: bsd securelevel patch question
Cc: "Allen Smith" <easmith@beatrice.rutgers.edu>, security@FreeBSD.ORG,
        njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jul 5,  2:17pm, David Greenman wrote:
> 
>    Passive FTP is initiated by the client and is not something that the server
> can enforce. Further, it does nothing to enhance security for the server - if
> anything, it actually reduces the security since you'd have to poke holes
> through any firewall to allow the client data connects.

Well, the decision to enforce it is a matter of site policy, most
ftp clients support passive mode by now.  As for the security, I'd
prefer to allow connects in to the ftp servers on ports I know it
will be listening on rather than having a machine inside the DMZ
initiating TCP connections;  having said that, FreeBSD's ftp daemon
currently accepts connections on ports it is listening on from any
IP, in accordance with the FTP RFC, but this is inconsistenct with
the bahaviour of the PORT command in paranoid mode which will only
connect to the IP of the control channel peer.  What do you think
of patching this?

Niall

-- 
Niall Smart.        PGP: finger njs3@motmot.doc.ic.ac.uk
FreeBSD: Turning PC's into Workstations: www.freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message