From owner-freebsd-security Mon Apr 3 9:17:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 3071737BB8A for ; Mon, 3 Apr 2000 09:17:51 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Mon, 3 Apr 2000 10:17:49 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma012899; Mon, 3 Apr 00 10:17:44 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id KAA13922; Mon, 3 Apr 2000 10:15:51 -0600 (MDT) Date: Mon, 3 Apr 2000 10:15:51 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Michael McHugh Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall rules for an internet FTP server? In-Reply-To: <38E8A393.D492BB3B@actv.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 3 Apr 2000, Michael McHugh wrote: > Also, ftp can be run in two modes - passive and active. Passive > involves pure port 21, active involves the ftp server opening a > connection from port 20 to a high numbered port on the client. Uhh, not quite. Passive mode DOES involve the client connecting to a high numbered port on the server (chosen by the server). Both active and passive modes require a separate data channel and are troublesome to firewall. The difference is only in who picks the ports and who contacts who. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message