Oh Gee...
Both of you need to read 'Building Internet Firewalls' (O'Reilly &
Associates, Inc.) PASV ftp connections require a random high port
to random high port connection. If only a filtering router is used,
to permit PASV ftp will permit ANY high port to high port connection
(such as X-Windows...) To limit the size of this hole, you need
to pipe PASV ftp through a proxy application gateway so the proxy
keeps track of what ports have been negotiated.
The only advantage that PASV ftp has over normal ftp (besides
built in browser support) is that PASV connections are all
initiated by the Client instead of the data channel being
initiated by the Server in normal ftp
Personal Opinions Provided By
Leonard Miyata
aka [EMAIL PROTECTED]
GEMINI COMPUTERS Inc.
On Wed, 17 Mar 1999, Boydstun, Ken wrote:
> I've been out for the past few days, but this is a topic I would also be
> interested in knowing about...
>
> Ken Boydstun, CSA CISA
> Information Security Engineering
> Associates Information Services
>
> > -----Original Message-----
> > From: Brad Moore [SMTP:[EMAIL PROTECTED]]
> > Sent: Friday, March 12, 1999 6:36 PM
> > To: [EMAIL PROTECTED]
> > Subject: Passive FTP
> >
> > What are the pros and cons (security wise) of allowing passive FTP
> > connections? And, what must I do at the screening router for this (if I
> > allow it)?
> >
> > Thanks,
> > Brad
> >
> > --
> > Brad Moore
> > Network Support Supervisor
> > Valley Media, Inc.
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
