From owner-freebsd-questions@FreeBSD.ORG Thu Jul 12 20:28:54 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2C39106566B for ; Thu, 12 Jul 2012 20:28:54 +0000 (UTC) (envelope-from kayasaman@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 223228FC0A for ; Thu, 12 Jul 2012 20:28:53 +0000 (UTC) Received: by eekc4 with SMTP id c4so611355eek.13 for ; Thu, 12 Jul 2012 13:28:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=Tltdscr6E+5bH+n8z8g//0rjSc/JDNHbWQwuWCOmx9g=; b=FhE7tDOOP2BlDNo2vIjm8zCb09kQj2hxmcAbB1MSqAxPkOhZKDG/JCAcjUCqi620o1 2SgS7IyfyegyPrA8IXVIEyYjpljDw/l7T8yO2mrxPSH8kxShpxpLS8cHkGNvQrmtO7jG +xd/4HPNyFu0EI6ZSpb7F5PvgyJPlGMyIKHx2gjlwQ98+F3go57tWx8sFBb9H2GLy4wu 8ABWjFVgTwP5Y8tfl/c0VgQhaMXIiAB8YRvwovXUMJ/fDeaiZzOznfktCXRUcF9+t3VM Majikh1il/HY44qaAHT7TDKcIQU2kb/6AbS8rI63lBIVJEyEymzOGDd+eWsc50SQxo+Y cgdA== Received: by 10.14.37.141 with SMTP id y13mr1254278eea.80.1342124932212; Thu, 12 Jul 2012 13:28:52 -0700 (PDT) Received: from X220.optiplex-networks.com (81-178-2-118.dsl.pipex.com. [81.178.2.118]) by mx.google.com with ESMTPS id e48sm18732630eea.12.2012.07.12.13.28.50 (version=SSLv3 cipher=OTHER); Thu, 12 Jul 2012 13:28:51 -0700 (PDT) Message-ID: <4FFF3386.1060109@gmail.com> Date: Thu, 12 Jul 2012 21:28:54 +0100 From: Kaya Saman User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120605 Thunderbird/13.0 MIME-Version: 1.0 To: kpneal@pobox.com References: <20120712191306.GA24943@neutralgood.org> In-Reply-To: <20120712191306.GA24943@neutralgood.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions Subject: Re: Is there a way to run FreeBSD ports through port 80? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2012 20:28:54 -0000 On 07/12/2012 08:13 PM, kpneal@pobox.com wrote: > On Thu, Jul 12, 2012 at 06:44:56PM +0100, Kaya Saman wrote: >> I do infact work for this company and additionally I am one of the >> administrators of the company. >> >> The information comes straight down from the IT director who will >> **not** change his mind on this as I have asked several times in the >> past. >> >> >> Basically without getting too distracted and off-topic: I open the >> ports on the firewall - tomorrow I am not employed anymore > So called "active" ftp requires having the server open a connection back > to the client. This will be blocked by a firewall unless the firewall > has special support for it. I can see having a firewall not allow > those connections into your network. > > With "passive" ftp with or without a proxy all connections are opened from > your end. No opening up of the firewall is required. Plus, if you don't > touch your filewall then attempted use of active ftp will just result in > a hung network connection. > > I believe active ftp was the default and perhaps only option for a number > of years. > > Does your IT director understand the active/passive distinction? If not > then perhaps you could explain it in a way that acknowledges that his > concerns have some merit but those concerns are not relevant to passive > ftp. > > Yes, this is very easy for me to suggest since I don't know any of the > relevant people and my paycheck is not on the line. And my suggestion > may be worth what you paid for it. ;) > Hi, of course everything is known but still it is preferred to keep a total lock-down on outbound ports. We handle a lot of highly sensitive information and that's the need for the severe lock-down. Even the web-proxy is restricted to the sites accessible meaning that we need to request access if we need to go somewhere not governed by that proxy. Regards, Kaya