On Mon, 24 Jun 1996, Alex Filacchione wrote:
>> You would need to allow incoming connection from the outside port 20, to
>> the inside port >1023 (probably excluding the X11 ports).
> If you do this, then will you not be opening up potential source porting problems? Incoming TCP connections from port 20 on an attacking machine would make it through, no? Isn't the purpose behind PASV ftp specifically to stop this potential problem? Something to think about.
Sure, and hence the usual arguement ensues about PASV or not PASV. :-)
If you use PASV, then the server has to open up a wide number of ports.
If you use normal mode, then you do. Someone takes the risk.
Someone mentioned that FW-1 uses a stateful filter, which could be the
answer. If the filter recognises an outgoing FTP connection, then
perhaps it then allows incoming connections from that IP's port 20. A
little more helpful - perhaps.
Dave Roberts | "Surfing the Internet" is a sad term for sad people.
Unix Systems Admin | Get a board, find a beach, surf some REAL waves and
SAA Consultants Ltd | get a *real* life.
Plymouth, U.K. | -=[For PGP Key, send mail with subject of "get pgp"]=-