Date: Wed, 13 Jun 2001 16:52:07 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Matt Dillon <dillon@earth.backplane.com> Cc: Nate Williams <nate@yogotech.com>, Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, Jamie Norwood <mistwolf@mushhaven.net>, freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. Message-ID: <200106132352.f5DNqZs12570@cwsys.cwsent.com> In-Reply-To: Your message of "Tue, 12 Jun 2001 16:56:37 PDT." <200106122356.f5CNubp50204@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200106122356.f5CNubp50204@earth.backplane.com>, Matt Dillon writes: > > :> Balderdash! HTTP and TCP both send files over identical TCP > :> connections, which makes them equally efficient. > : > :>From a raw protocol stack, yes. However, most FTP servers are optimized > :for streaming out large bits of static data, while HTTP servers are less > :optimized for this. > : > :FTP servers can be more easily optimized (KISS et al), and hence FTP is > :a better protocol for simple file transfers. > : > :Nate > > If you have to have a web server, and would only also have a ftp > server to 'optimize' transfers, I would submit that whatever > performance one perceives as having gained from running the ftp > server (which I think is Balderdash as well) is offset by the fact > that you are now running two pieces of server software that might > potentially create a security hazzard rather then one. > > Since I can't do without my web server, ftpd is the one I turn off. That's exactly what I do. Additionally if I need to use non-anonymous FTP, I use sftp, scp, or if behind a firewall one of the Kerberos services. > > Historically, a plain old Apache with no fancy modules turned on > is just as secure... in fact, even more secure... then ftpd. Maybe > because web servers focus on read-only stuff whereas ftpd tries to > be general purpose read/write/exec/chmod/only-god-knows-what-else. Not only that but HTTP is firewall friendly. FTP requires proxies. IP Filter provides a good client-side FTP proxy however a server-side FTP proxy is unknown in the opensource community. Given the exploits of various FTP daemons, of which FreeBSD has been fortunate to have such a secure ftpd, and exploits of the FTP protocol itself, e.g bounce, the wisdom of running an FTP server behind a firewall is unadvised. I agree that we're better off using HTTP. I'll be glad the day the FTP protocol has been finally put to rest. > > -Matt Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106132352.f5DNqZs12570>