[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sheflug] Passive FTP



I should get more sleep.

Thanks for the correction.

>>>>> "David" == David Mitchell <davem [at] fdgroup.co.uk> writes:

    David> In passive mode, the client sends the sever a 'PASV'
    David> command; the server listens on a random port R2, responds
    David> with a port number R2, then the *client* establishes the
    David> connection:

    David> C:R3 -> S:R2

And if you're thinking this is awf'ly complicated, it's because the
client probably cannot listen on port 20, which is restricted to root
on Unix systems.

I guess that is the rationale for using port 20 on the server in the
first place, so that the client has some confidence that the
connection is authorized by a responsible party on the server?

    David> Similarly, passive is a nightmare for firewall
    David> administrators to support servers; they have to allow
    David> incoming connections from any port to any port >= 1024 on
    David> the server, or have a clever layer-7 filter.

Is is really that bad?  I would put the server outside the firewall
proper, and listen only on 21.  Once you have a connection, the ftp
server itself can tell its host's ip filter which port to open, and as
a bonus, restrict it only to the known client host.

Admittedly, this means that to set up a server an internal entity must
cooperate with the firewall administration.  But that's what you want,
isn't it?  Otherwise the internal entity could run telnetd on port
21.[1]  The only other problems I can see have to do with who
administers and who pays for the routing hardware etc for the networks
out in the war zone.


Footnotes: 
[1]  Suggested by a half-clued colleague for personal use when our
Univ decided to put up a firewall.

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.