I believe the only(?) option is to allow incoming connections. The ftp
gateway (fro example) sends out a PORT command listing a port > 1023,
so the ftp server creates a connection from port 20 to a port > 1023.
If you can live with incoming connections to ports > 1023 you can have
ftp access. Of course this means tightening up the security on the box(es)
receiving those incoming connections. On a bastion host the only things
listening on ports > 1023 will be the ftp gateway (on the ones I build).
Colin
>
[chomp]
>
> Things I have considered.
> -------------------------
> 1. Poke a hole in the firewall and allow FTP data connections on port 20
> (ftp-data). FTP client would be reprogrammed to use port 20 for data
> connections. Issues: Multiple concurrent FTP client listen requests could
> get swapped. (What happens in the FTP implementation when this occurs?)
>
> 2. Poke a range of holes in the firewall. Reprogram the FTP client to look
> for free ports within the range. Issues: Still required to poke several
> holes in the firewall, requires custom FTP software. Benefit: listen
> requests will not be swapped. (Best solution that I can find do far)
>
> 3. Do not use FTP and write a TCP application that uses only a single TCP
> port for data and control. Issues: Time + $$ no compatibility. Benefit:
> solves the problem.
>
> 4. Am I missing something??? Help. How are other people doing this?? Do
> most people just allow ports > 1023??
>
> Thank you,
> ---------------------------------------
> | Bill Bunting, Software Engineer | ******
> |Inter-National Research Institute, Inc.| ***_******_ __ _
> | 1441 Crossways Boulevard, Suite 102 | ===//=/\**//=/- )==//=
> | Chesapeake, Virginia 23320 | {==//=//\\//=//||==//==
> | V(804)424-8675 F(804)420-4262 | =//=//==\/*//=||=//===
> | (wbunting @
inri .
com) | *********
> | (bunting @
cs .
odu .
edu) | *****
> | http://www.cs.odu.edu/~bunting |
> ---------------------------------------
>
>
Follow-Ups:
References:
|
|
