>user is then free to access hosts and services on the Internet. Files
>retrieved to the gateway are available to the user internally via NFS.
>The user can remove files transfered into the directories created during
>the acftp session startup but they cannot remove the directories.
This would make me somewhat nervous in general, since it means
that users are modifying data on the firewall. I like the idea of having
all the application gateways operate socket-to-socket and never touch
(or even know about) the file system on the firewall. The SEAL ftpxd or
telnetxd can run from a chrooted filesystem with nothing in it, if need
be. I'm paranoid, I guess, but most of the security holes I used to know
of had something to do with exploiting some file permissions by some
process that shouldn't have access to some file. Make your application
gateway never open any files under user control, and you've put a
bullet through the problem.