[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPF FTP configuration
- To: Hakan Olsson <ho@crt.se>, misc@openbsd.org
- Subject: Re: IPF FTP configuration
- From: vedu hariths <hariths.1@osu.edu>
- Date: 06 Aug 2001 11:37:41 -0400
- References: <Pine.GSO.4.33.0108061522200.8424-100000@spitfire.crt.se>
hmmm, you are correct. i was thinking the other way around. I guess My
question was how do you specify the active passive thing. Do you you
have to do this on the ftp server side and allow all traffic in ....or
just restrict data.
vh
On 06 Aug 2001 15:33:30 +0200, Hakan Olsson wrote:
> Uh... the actual question aside, do you really want to do that?
>
> Basically, you're "protecting" the _outer_ network from the _inside_,
> which is probably not what you want. Unless you run a very odd network, I
> really don't see it...
>
> Passive mode was created to resolve some of the nasty network behaviour of
> active FTP, such as forcing us to open a large number of incoming ports
> for the data session.
>
> Reversing the directions like this (in fact, it's directly opposite what
> most others, including myself, do), leaves your internal network wide open
> to connections to a large number of TCP ports, i.e attacks.
>
> /H
>
> On 6 Aug 2001, vedu hariths wrote:
>
> > Hi everyone, how does one specify in the ipf rules that we want to let
> > machines inside a firewall do active FTP and outside the firewall only
> > passive ftp? I do not need ipnat as the machines inside the firewall
> > already have public ip addresses, so no need for mapping.
> > Thank you,
> > vh
>
> --
> Håkan Olsson <ho@crt.se> (+46) 708 437 337 Carlstedt Research
> Unix, Networking, Security (+46) 31 701 4264 & Technology AB