Re: Passive mode ftp

[horio shoichi]

mouss wrote: > > which may be stated as follows: > - passive mode is better when the FW protects clients. > - active mode is better when the FW protects servers. > > but designing a new protocol would be better than both modes. Although in principle it is possible to request data port connection from separate IP, I wonder if it is reality. If the server "deviates" from rfcs only in this respect, that is, data connection must come from the same host as control, much of passive mode headache can be eliminated. Because: 1) PASV data ports may be chosen from small range (say 100), and said data ports can be constantly listened and can perform accept-fork loop. This way holes for data ports on external router can be made small, the holes may all be listened thus cannot be listened unknowingly, and the connecting peer ip (but not port number) can be authenticated. Also, most ftp clients won't be affected. How do you think this for tentative work around for ftp server difficulty ? horio shoichi - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]