/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Randy Perry wrote:
> on 10/8/00 2:33 PM, David Ranch at [EMAIL PROTECTED] wrote:
>
> >> But, I tested opening ALL ports by making the FTP server a DMZ host (meaning
> >> all ports were forwarded to it from the router) and passive connections
> >> still wouldn't work (actually they could connect, but an 'ls' command failed
> >> with 'network unreachable'). Passive connections work fine if I take out the
> >> router.
> >
> > Though in theory this should work, it will screw up the MASQ server.
> > Realistically, if you want to do stuff like this, you should get
> > another IP from your ISP and run 1:1 NAT and not 1:Many NAT.
> >
> >
> Actually we have a 14-address subnet from the ISP. I said in the 1st part of
> my post that we're using a hardware router (or maybe I wasn't clear on that;
> we've tried 2 hardware routers a Macsense and a Linksys with the same
> results). Is it possible to do 1:1 with it? We still need 1:many for the
> rest of the network; would we need a 2nd router after the server?
yes, the router in front of your perimeter network/DMZ should just filter,
not masquerade or NAT. the DMZ is public. the router behind the DMZ (between
it and your internal network) can do masquerading or whatever. ftp servers
are at very high risk of intrusion. keep them out of your internal network
and assume they will be broken into sooner rather than later.
> >> I've heard it's pretty dangerous to open up SMB ports to the world. For our
> >> Mac clients we may consider opening afpovertcp with DHX encryption.
> >
> > FTP is the most efficient but is insecure (clear text passwords)
rsync is the most efficient by a factor of 10 (when performing updates).
and when run over ssh, it's very secure as well.
> > SMB is pretty decent but is also insecure
> > NFS is getting better on Linux but is VERY insecure
> >
> >> Can anyone give advice how to solve the passive FTP problem or suggest an
> >> alternative method of file xfer. SSH and SCP are out; installation, setup,
> >> and use are just too complicated for non-computer people.
> >
> > You do realize there are SFTP clients. Right?
>
> Actually, I didn't. Do SFTP clients not have the passive connection problem?
that's right. it runs over a ssh2 connection (like scp and rsync run over
a ssh1 connection). but not only does it require ssh (which you won't
accept), it requires ssh2 which can cost money.
if rsync/scp/ssh isn't an option, fix your topology so there's no packet
munging between your clients and the ftp server. their passwords can
still be sniffed but at least it will work.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
