In article <9501141318 .
com> you write:
>It is my understanding that certain firewalls (for instance, the Janus, I
>believe) will actively track outbound FTP connections, and will only allow in
>*corresponding* inbound FTP connections above port 1024. This doesn't help
>much if you don't have that particular firewall product, but it's at least one
>option. Generally, though, it's my understanding that it is a fairly standard
>procedure to allow inbound connections over port 1024. But I may be wrong.
It may be fairly standard, but it is not secure. People have been
known to hack into X Servers (port 6000 and above), NFS Servers
(random TCP port if TCP NFS enabled), Sybase or other database
servers (typical development shops run these servers on untrusted
port ranges). Also there is then nothing to stop an internal person
from running a telnet server at one of those high port ranges -
"but all I wanted was to telnet from my home SLIP account and the
firewall was too restrictive!".
Some people on this list have briefly mentioned this last point
without going into too much detail. Basically, if your firewall
is too restrictive and inflexible (and router based filters are
this), then internal staff may very well circumvent your firewall
entirely, not realizing the risk they are putting the rest of the
company in. Bottom line: a firewall needs to be secure, but
flexible enough to give end users the functionality they need.
>To: firewalls @ GreatCircle.COM @ Internet
>cc: (bcc: Kenneth Smith)
>From: jharvey @ netcom.com (Justin Harvey) @ Internet @ WORLDCOM
>Date: 01/13/95 05:56:46 PM CST
>Subject: FTP through firewall
>Are most people that operate firewalls allowing ports 1024-2000 incoming
>so that outbound ftp may work? If you don't do this the ftp won't
>work...I've also read that you can somehow use the PASV command...do we
>need to modify a source of ftp and use that if we don't want to enable
Phil Trubey |
NetPartners | Providing Internet products and services.
E-mail: phil @
com | Home Page: http://www.netpart.com/
Phone: 714-759-1641 |