You can always use IP passthrough on the DMZ (with public IPs). We have moved to that sort of setup in which case the firewall ever chokes you just remove it and put a secondary IP on your border router until you get the firewall back in place.
On Tue, 25 Jul 2000 13:20:49 -0400, you wrote: >--------------------- Attention ----------------------------- >Online GNAT Box User Forum is Now Open >Click the Register link and sign up today >http://www.gnatbox.com/cgi-bin/Ultimate.cgi >------------------------------------------------------------- >Send postings to: [EMAIL PROTECTED] >Access the list archives at: http://www.gnatbox.com/gb-users/ >------------------------------------------------------------- >If they plan on allowing people on the Internet to ftp into the site, >then port 21 will need to be open (or else people on the Internet will >have to do some convoluted things to get into their ftp server). > >If they only plan on using ftp for their own use, then they might >move it to another port, but there wouldn't be much point to it since >any port scanner would find the open port and any decent one would >also be able to tell you that it was running an ftp server. > >As a general rule, security by obscurity isn't the best policy. >It would be much better to leave ftp at its default port and >make sure that it is properly secured. > >Another rule is that the firewall is only there to protect >non-server machines. Any machine that is providing a service >on the Internet should be hardened as if the firewall weren't >there. > >Mike Burden >Lynk Systems >(616)532-4985 >[EMAIL PROTECTED] > > >Gerald Davies [[EMAIL PROTECTED]] wrote: >> hi, >> >> i would've thought it was better to advise him to shift ftp away from its >> default port. I know i`m straying off topic here but it should also be >> stressed that a firewall is pointless if the server is incorrectly >> configured. In the past i have dealt with clients that believed that just >> because they had firewall'd servers that they were secure - IIS4 being the >> culprit in this case, but you can see my point. >> >> regards, >> >> Gerald. > >---------------------------------------------- >To Unsubscribe: send mail to [EMAIL PROTECTED] >with "unsubscribe gb-users your_email_address >in the body of the message
