On 07/12/2012 08:13 PM, kpn...@pobox.com wrote:
On Thu, Jul 12, 2012 at 06:44:56PM +0100, Kaya Saman wrote:
I do infact work for this company and additionally I am one of the
administrators of the company.

The information comes straight down from the IT director who will
**not** change his mind on this as I have asked several times in the
past.


Basically without getting too distracted and off-topic: I open the
ports on the firewall - tomorrow I am not employed anymore
So called "active" ftp requires having the server open a connection back
to the client. This will be blocked by a firewall unless the firewall
has special support for it. I can see having a firewall not allow
those connections into your network.

With "passive" ftp with or without a proxy all connections are opened from
your end. No opening up of the firewall is required.  Plus, if you don't
touch your filewall then attempted use of active ftp will just result in
a hung network connection.

I believe active ftp was the default and perhaps only option for a number
of years.

Does your IT director understand the active/passive distinction? If not
then perhaps you could explain it in a way that acknowledges that his
concerns have some merit but those concerns are not relevant to passive
ftp.

Yes, this is very easy for me to suggest since I don't know any of the
relevant people and my paycheck is not on the line. And my suggestion
may be worth what you paid for it. ;)

Hi,

of course everything is known but still it is preferred to keep a total lock-down on outbound ports.

We handle a lot of highly sensitive information and that's the need for the severe lock-down. Even the web-proxy is restricted to the sites accessible meaning that we need to request access if we need to go somewhere not governed by that proxy.


Regards,


Kaya

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to