There is also the problem of "FTP bouncing". The client is able to do
redirects if the server allows this. I have also noticed that Microsoft's
FTP server uses random high ports for the data connection instead of port
20. This results in a log entry on the Checkpoint firewall indicating that
the client attempted to open other service port or other host port. The only
way I found to work around this is to modify the "base.def" file to allow
these connections. Does anyone else have similar experience with the
Microsoft FTP server? Why does Microsoft behave this way and is there a way
to change this behavior?
Lance
----- Original Message -----
From: "Mikael Olsson" <[EMAIL PROTECTED]>
To: "Graham Wheeler" <[EMAIL PROTECTED]>
Cc: "Andrew Lawrence" <[EMAIL PROTECTED]>; "Firewalls (E-mail)"
<[EMAIL PROTECTED]>
Sent: Tuesday, August 15, 2000 5:58 AM
Subject: Re: Passive mode ftp
>
>
> Graham Wheeler wrote:
> >
> > For `dumb' firewalls (i.e. simple packet filtering systems), allowing
> > passive mode only is more secure. For `smart' firewalls (i.e.
> > application proxy or SPFs) either can be supported, but active has the
> > advantage that once the PORT command has been inspected, all the details
> > of the expected connection attempt are known (client and server
> > addresses and ports) - and the necessary incoming `hole' can be opened
> > up for a short period while waiting for the connection attempt.
>
> .... but you still don't know if the port that the inside client
> requested is safe or not. It could be a bogus request from a java
> applet, and no firewall in the world would be able to tell the
> difference :)
>
> For the client side, passive FTP always provides better security.
> For clients, active mode has no "advantages" the way I see it,
> only drawbacks. And big ones at that.
>
> (On the other hand, passive FTP creates problems at the server side,
> but a few servers are easier to harden than millions of clients)
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
> Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
> WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
