[Gllug] passive ftp through f/w
Ben Fitzgerald
ben_m_f at yahoo.co.uk
Thu May 6 12:06:29 UTC 2004
On Thu, May 06, 2004 at 12:56:19PM +0100, Daniel P. Berrange wrote:
> On Thu, May 06, 2004 at 12:48:57PM +0100, Richard Jones wrote:
> > On Thu, May 06, 2004 at 11:12:44AM +0100, Ben Fitzgerald wrote:
<snip>
> >
> > In general no. With passive FTP, the FTP server specifies which port
> > you must connect to, so you basically have to open up all outgoing
> > connections (unless you collaborate with the owner of the FTP server,
> > which I assume is not an option here).
>
> If you have a stateful firewall (such as IPTables on Linux) then
> the firewall can watch the main FTP connection for a 'PORT' command
> and then open up only the outgoing portnumber specified as the argument
> to this command. In fact with a stateful firewall, even active FTP
> is /reasonably/ secure, since again it can snif the FTP commands and
> only open up the single incoming port required, restricting it to
> connections from the IP address of the remote server.
Great. Thanks people. I suspect my draytek will not stretch to this,
but I can open up connections from > 1024 to ports > 1024 and then
us iptables on the server as you describe to further tighten it.
Thanks very much,
Ben
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list