On Fri, 1 Jun 2001, Ben Nagy wrote:
> In passive FTP, instead of saying "connect back to me on..." the client says
> "OK, can I have a port to connect to _you_ on so you can give me the data?",
> connections will be able to cope with this.
>
> As a note, you then need a stateful firewall at the server end - the
> server's firewall has to read the PASV command to know what to open, for
> similar reasons.
Yup, and one thing I found useful with some FTP servers was the ability to
define the passive port range. For example, let's say you define a pasv
port range of 15000 - 15500, you have greatly enhanced your security,
compared with permitting tcp traffic to ports > 1024.
--truman
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
