[Gllug] passive ftp through f/w
Richard Jones
rich at annexia.org
Thu May 6 11:48:57 UTC 2004
On Thu, May 06, 2004 at 11:12:44AM +0100, Ben Fitzgerald wrote:
> The inside interface is strict, in that all packets
> are blocked unless explicitely allowed. I've allowed
> stuff like ssh, http[s] etc. I want to allow ftp
> out. Seems like passive ftp is the best way to go,
> but is there a way to ftp out without having to
> open up all high number ports outbound for the
> data stream?
In general no. With passive FTP, the FTP server specifies which port
you must connect to, so you basically have to open up all outgoing
connections (unless you collaborate with the owner of the FTP server,
which I assume is not an option here).
However, most firewalls allow *active* FTP to work. I don't know
about the Vigor, but it's common with Linux firewalls. With active
FTP, the client (ie. you) specify which port you want the server to
connect back to you on. This is done using a 'PORT' command over the
fixed control connection. The firewall sniffs for the PORT command
and rewrites it, specifying a suitable local port on the firewall.
Concurrently it also opens that local port and redirects it back
inside the firewall. All quite safe provided the firewall is
correctly implemented.
Rich.
--
Richard Jones. http://www.annexia.org/ http://www.j-london.com/
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
"One serious obstacle to the adoption of good programming languages is
the notion that everything has to be sacrificed for speed. In computer
languages as in life, speed kills." -- Mike Vanier
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list