[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Passive FTP
"Stephen J. Turnbull" <turnbull [at] sk.tsukuba.ac.jp> mused:
>
> I guess that is the rationale for using port 20 on the server in the
> first place, so that the client has some confidence that the
> connection is authorized by a responsible party on the server?
Presumably.
>
> David> Similarly, passive is a nightmare for firewall
> David> administrators to support servers; they have to allow
> David> incoming connections from any port to any port >= 1024 on
> David> the server, or have a clever layer-7 filter.
>
> Is is really that bad? I would put the server outside the firewall
> proper, and listen only on 21. Once you have a connection, the ftp
> server itself can tell its host's ip filter which port to open, and as
> a bonus, restrict it only to the known client host.
>
> Admittedly, this means that to set up a server an internal entity must
> cooperate with the firewall administration. But that's what you want,
> isn't it? Otherwise the internal entity could run telnetd on port
> 21.[1] The only other problems I can see have to do with who
> administers and who pays for the routing hardware etc for the networks
> out in the war zone.
By nightmare, I mean:
someone says "ere, can we have ftp access to the web server, so we can
upload new content?". You say 'sure, I'll just do it right now'.
You toddle off and open ports 21 and 20 on your firewall, 'cause you've
read somewhere that those are the ports they need, and ring up the client to
say 'it should work now'. They ring back a few minutes later and complain
about timeouts. You go away and spend half a day researching the FTP protocol,
and realise the error of your naiveity. You are now faced with a choice of
* opening up all ports > 1024 on your firewall - so every crappy RPC
service out there running as root is exposed (eg statd etc etc),
* chucking away your existing firewall and spending 10K on a Cisco PIX
and getting up to speed on it
* Trying to find (or write) an ftp server that can dynamically update
ifchain filtering thinggies (assuming your OS supports them)
* Or some other time consuming method that has to be studied, learned,
tried out, implemented etc etc.
Then you can ring the client back and tell them the good news :-)
All in all, a protocal that makes life very hard.
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.