Date: Fri, 18 May 2007 08:04:43 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: "'Dave'" <dmehler26@woh.rr.com>, <freebsd-pf@freebsd.org> Subject: RE: ftp, pf, passive ftp and fetch Message-ID: <000d01c7991a$cff492e0$6fddb8a0$@Hennessy@nviz.net> In-Reply-To: <000301c798e6$d51bfdf0$0200a8c0@satellite> References: <000301c798e6$d51bfdf0$0200a8c0@satellite>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi, > I'm trying to get ftp working from behind a pf firewall. I'm using > pftpx on FreeBSD 6.2 for this. I believe i have passive working, one of my > windows boxes goes passive and dies on active. Command line FTP client in windows is active only. > I've got three questions. First, > portupgrade uses fetch for retrieval correct, if so i want it to use > the -p (passive option) by default whenever it tries an ftp url. gw2:~ # set | grep -i ftp FTP_PASSIVE_MODE=1 > Second, ncftp i'd like to specify that it should use passive mode connections > by default as well. gw2:~ # grep -i passive .ncftp/prefs_v3 passive=on > Last, is active or passive ftp better in terms of security > strictly from a firewall perspective, i know the protocol isn't secure? Passive is less of a PITA, (that's not saying much). One doesn't have to handle ingress traffic initiated from the server. However one either has to leave high ports open or use a L7 proxy to dynamically open the firewall for each request, hence pftpx. > If active ftp is better than passive does anyone have a ruleset with it? > I'm using a block by default ruleset. I haven't used active FTP for years TBH. I have had serious arguments with vendors and suppliers who tried to insist on its use through environments I have had responsibility for. Greg > Thanks. > Dave. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000d01c7991a$cff492e0$6fddb8a0$>