At 01:32 AM 11/17/01, Pong wrote:
>if they allow you to connect to port 21 (the ftp control port),
>there's no reason to block you from downloading from the data port.
>simply put, something is blocking your access to the ftp data port that's
>why it times out. try forcing a passive mode ftp data connection
>by typing 'passive' repeatedly until the ftp session toggles it to
>'Passive mode on'
>
>ftp> passive
>Passive mode off.
>ftp> passive
>Passive mode on.
>
>once it's in passive mode, then do an 'ls'. if it succeeds
>then, you now can download. in passive mode, both connections
>(control and data) to the ftp server is initiated from your
>ftp client and helps you bypass any probable firewall in between
>preventing the ftp server from initiating the data connection
>to you instead.
ahh, that's the problem. i forgot that i was on a box that
had input deny as the default policy (but with allow established
connections. this was on FreeBSD). i just tried that and i
see that it's 5.2 on there so i guess i won't be grabbing
that tonight. i already have that.
i've got some other questions about firewalls and networking
and i may as well ask them now that the topic comes up.
1. i've got ip-masq on my dialup-server. when i do
netstat -a
i see connections from the server to internal boxes and
connections from the server to external boxes, but i don't
see masqueraded connections. is there a way to see what
masqueraded connections are active?
2. in general, "input deny by default is more secure" than
input accept by default. of course. but if i've got
my firewall selectively allowing only trusted hosts to
connect to ports where daemons are listening
e.g., the only service on box B1 is HTTP and i've got
a firewall rule that says only IPs in the range
ABC.DEF.GHI.0-16 can connect to B1:80
what benefit is there in denying by default to ports where
no servers are listening? (naturally, i'd let established
connections, started from inside, through the firewall).
or maybe that's the wrong question. better would be, how
would an attacker, ah, attack a box like that where there
are no open ports to connect to? i don't think "deny by
default (allowing established)" defends against man in the
middle or session hijacking. and the attacker can't run
a portmap exploit if the firewall won't let him see the
portmap service. so what else could an attacker try?
just wondering.
At 04:13 AM 11/16/01, Rommel Feria wrote:
>StarOffice 6.0 beta does not include Adabas.
OK, thanks. i was mixing my experience with 5.2 and
6.0beta.
tiger
--
Gerald Timothy Quimpo [EMAIL PROTECTED]
Research, Development, Consulting [EMAIL PROTECTED]
Entia non sunt multiplicanda praetere necessitatem
Veritas liberabit vos
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
