[Gllug] passive ftp through f/w
Daniel P. Berrange
dan at berrange.com
Thu May 6 11:56:19 UTC 2004
On Thu, May 06, 2004 at 12:48:57PM +0100, Richard Jones wrote:
> On Thu, May 06, 2004 at 11:12:44AM +0100, Ben Fitzgerald wrote:
> > The inside interface is strict, in that all packets
> > are blocked unless explicitely allowed. I've allowed
> > stuff like ssh, http[s] etc. I want to allow ftp
> > out. Seems like passive ftp is the best way to go,
> > but is there a way to ftp out without having to
> > open up all high number ports outbound for the
> > data stream?
>
> In general no. With passive FTP, the FTP server specifies which port
> you must connect to, so you basically have to open up all outgoing
> connections (unless you collaborate with the owner of the FTP server,
> which I assume is not an option here).
If you have a stateful firewall (such as IPTables on Linux) then
the firewall can watch the main FTP connection for a 'PORT' command
and then open up only the outgoing portnumber specified as the argument
to this command. In fact with a stateful firewall, even active FTP
is /reasonably/ secure, since again it can snif the FTP commands and
only open up the single incoming port required, restricting it to
connections from the IP address of the remote server.
Dan.
--
|=- http://www.berrange.com/~dan/gpgkey.txt -=|
|=- berrange at redhat.com - Daniel Berrange - dan at berrange.com -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20040506/4ba82814/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list