Date: Mon, 6 Jul 1998 17:36:05 +0000 From: Niall Smart <rotel@indigo.ie> To: dg@root.com, rotel@indigo.ie Cc: "Allen Smith" <easmith@beatrice.rutgers.edu>, security@FreeBSD.ORG, njs3@doc.ic.ac.uk, dima@best.net, abc@ralph.ml.org, tqbf@secnet.com Subject: Re: bsd securelevel patch question Message-ID: <199807061636.RAA00781@indigo.ie> In-Reply-To: David Greenman <dg@root.com> "Re: bsd securelevel patch question" (Jul 5, 2:17pm)
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 5, 2:17pm, David Greenman wrote: > > Passive FTP is initiated by the client and is not something that the server > can enforce. Further, it does nothing to enhance security for the server - if > anything, it actually reduces the security since you'd have to poke holes > through any firewall to allow the client data connects. Well, the decision to enforce it is a matter of site policy, most ftp clients support passive mode by now. As for the security, I'd prefer to allow connects in to the ftp servers on ports I know it will be listening on rather than having a machine inside the DMZ initiating TCP connections; having said that, FreeBSD's ftp daemon currently accepts connections on ports it is listening on from any IP, in accordance with the FTP RFC, but this is inconsistenct with the bahaviour of the PORT command in paranoid mode which will only connect to the IP of the control channel peer. What do you think of patching this? Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807061636.RAA00781>