>> From what I have been able to gather, the best solution is to allow
>> inward access from port 20 on a remote host only for "established"
>> connections (understanding this could be spoofed) and only to ports above
>> 1023. There is some additional vulnerability imposed and might want
>> to specify that only some subnets/clients/proxy hosts have permission to
>> do so.
What does it mean to allow inward access only for "established"
connections? I thought the problem here is whether or not to allow
the remote host to establish a connection.
It seems very dangerous to me to allow inbound TCP from remote port 20
to inside port > 1023. If I knew you were doing this, and some of
your users did xhost +, for example, I could connect to their X
servers (binding my socket to local port 20 before connecting) and
Kenneth J. Duda http://www-dsg.stanford.edu/KennethDuda.html
edu> Stanford University Distributed Systems Group
415-723-9429 Building 460 / Stanford, CA 94305
From: padgett @
com (A. Padgett Peterson, P.E. Information Security)