From owner-freebsd-security Wed Jun 13 16:56:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 09CD637B407 for ; Wed, 13 Jun 2001 16:56:29 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id QAA32354; Wed, 13 Jun 2001 16:55:07 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda32348; Wed Jun 13 16:55:03 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5DNsw831494; Wed, 13 Jun 2001 16:54:58 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdT31490; Wed Jun 13 16:54:05 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5DNqZs12570; Wed, 13 Jun 2001 16:52:35 -0700 (PDT) Message-Id: <200106132352.f5DNqZs12570@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpds12564; Wed Jun 13 16:52:07 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Matt Dillon Cc: Nate Williams , Garrett Wollman , Jamie Norwood , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. In-reply-to: Your message of "Tue, 12 Jun 2001 16:56:37 PDT." <200106122356.f5CNubp50204@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 13 Jun 2001 16:52:07 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <200106122356.f5CNubp50204@earth.backplane.com>, Matt Dillon writes: > > :> Balderdash! HTTP and TCP both send files over identical TCP > :> connections, which makes them equally efficient. > : > :>From a raw protocol stack, yes. However, most FTP servers are optimized > :for streaming out large bits of static data, while HTTP servers are less > :optimized for this. > : > :FTP servers can be more easily optimized (KISS et al), and hence FTP is > :a better protocol for simple file transfers. > : > :Nate > > If you have to have a web server, and would only also have a ftp > server to 'optimize' transfers, I would submit that whatever > performance one perceives as having gained from running the ftp > server (which I think is Balderdash as well) is offset by the fact > that you are now running two pieces of server software that might > potentially create a security hazzard rather then one. > > Since I can't do without my web server, ftpd is the one I turn off. That's exactly what I do. Additionally if I need to use non-anonymous FTP, I use sftp, scp, or if behind a firewall one of the Kerberos services. > > Historically, a plain old Apache with no fancy modules turned on > is just as secure... in fact, even more secure... then ftpd. Maybe > because web servers focus on read-only stuff whereas ftpd tries to > be general purpose read/write/exec/chmod/only-god-knows-what-else. Not only that but HTTP is firewall friendly. FTP requires proxies. IP Filter provides a good client-side FTP proxy however a server-side FTP proxy is unknown in the opensource community. Given the exploits of various FTP daemons, of which FreeBSD has been fortunate to have such a secure ftpd, and exploits of the FTP protocol itself, e.g bounce, the wisdom of running an FTP server behind a firewall is unadvised. I agree that we're better off using HTTP. I'll be glad the day the FTP protocol has been finally put to rest. > > -Matt Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message