Graham Wheeler wrote:
>
> For `dumb' firewalls (i.e. simple packet filtering systems), allowing
> passive mode only is more secure. For `smart' firewalls (i.e.
> application proxy or SPFs) either can be supported, but active has the
> advantage that once the PORT command has been inspected, all the details
> of the expected connection attempt are known (client and server
> addresses and ports) - and the necessary incoming `hole' can be opened
> up for a short period while waiting for the connection attempt.
.... but you still don't know if the port that the inside client
requested is safe or not. It could be a bogus request from a java
applet, and no firewall in the world would be able to tell the
difference :)
For the client side, passive FTP always provides better security.
For clients, active mode has no "advantages" the way I see it,
only drawbacks. And big ones at that.
(On the other hand, passive FTP creates problems at the server side,
but a few servers are easier to harden than millions of clients)
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
