[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] Passive FTP
I should get more sleep.
Thanks for the correction.
>>>>> "David" == David Mitchell <davem [at] fdgroup.co.uk> writes:
David> In passive mode, the client sends the sever a 'PASV'
David> command; the server listens on a random port R2, responds
David> with a port number R2, then the *client* establishes the
David> connection:
David> C:R3 -> S:R2
And if you're thinking this is awf'ly complicated, it's because the
client probably cannot listen on port 20, which is restricted to root
on Unix systems.
I guess that is the rationale for using port 20 on the server in the
first place, so that the client has some confidence that the
connection is authorized by a responsible party on the server?
David> Similarly, passive is a nightmare for firewall
David> administrators to support servers; they have to allow
David> incoming connections from any port to any port >= 1024 on
David> the server, or have a clever layer-7 filter.
Is is really that bad? I would put the server outside the firewall
proper, and listen only on 21. Once you have a connection, the ftp
server itself can tell its host's ip filter which port to open, and as
a bonus, restrict it only to the known client host.
Admittedly, this means that to set up a server an internal entity must
cooperate with the firewall administration. But that's what you want,
isn't it? Otherwise the internal entity could run telnetd on port
21.[1] The only other problems I can see have to do with who
administers and who pays for the routing hardware etc for the networks
out in the war zone.
Footnotes:
[1] Suggested by a half-clued colleague for personal use when our
Univ decided to put up a firewall.
--
University of Tsukuba Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences Tel/fax: +81 (298) 53-5091
_________________ _________________ _________________ _________________
What are those straight lines for? "XEmacs rules."
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.