I am starting to fear that there is something very basic that I am missing. In order
to avoid the example that Tobias puts forth below, I configured both Netscape and IE
to use the WinRoute Pro 4.1 Proxy for FTP: - and I then block all direct traffic
to/from anything I don't know we
need/want open. And NAT all traffic to the Internet to boot.
How vulnerable am I now to something tunneling through my Proxy? Only an app/trojan
on the inside right? What is wrong with this solution that I am missing?
Guy Skaggs
Director of Technology
Martingale Asset Management
------------------------------------------------------
[EMAIL PROTECTED] wrote:
Date: Tue, 12 Dec 2000 08:47:26 +0100
From: "Reckhard, Tobias" <[EMAIL PROTECTED]>
Subject: RE: Simple Pimple firewalls
... For clients (actually, for the dumb packet
filters inbetween), active FTP is bad because a connection to a random port
on the client is initiated from the server side. Passive FTP isn't a lot
better because all it gets you is a reversal of the initiation. That is
something, yes, but almost anything can go through the following rule
combination:
<inside IP>:1024-65535 -----TCP----><any IP>:1-65535
<inside IP>:1024-65535 <--TCP/-SYN-- <any IP>:1-65535
....
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
