I attempted to close TCP ports >1023. I was then unable to receive mail via SMTP. SMTP was
unable to get a backchannel to send incoming mail. I was lead to believe that the backchannel
was dynamically determined and was ALWAYS >1023.
Outgoing mail was unaffected.
---------------Original Message---------------
This is an extract from a program on ftp.cisco.com to generate access
lists, summarizing the problem with outgoing ftp:
#
# Permit TCP connections with port numbers greater than 1024
# into a very limited set of hosts. Make sure NO terminal servers
# are in this list because this allows dangerous access to terminal
# servers and protocol translators.
#
# This is so that people can FTP out of cisco without using pftp
# (available from ftp.cisco.com). We now use passive-ftp everywhere
# and no longer need to permit this. This is the *ONLY* reason to allow
# inbound TCP >1023 so don't let anyone give you shit for closing this
# hole.
#
# This is a serious major gaping security hole and should be denied
# except known secure machines. The 'established' keyword earlier on
# handles everything outbound but outbound FTP, so that is the ONLY
# reason we should allow this.
#
Passive ftp is available for UNIX computers in source form, but what
about its availability on other platforms (Macs and PCs running ftp
software tcp/ip)? Also, how widely do the "main" public ftp servers
support it?
Thanks.
Mohamed
{original message deleted}
----------------------------------------------------------------------
E-mail: ronl @
vantageware .
com (Ron A Lindsay)
Date: 04/06/95
----------------------------------------------------------------------
|
|
