[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Passive mode ftp

To: mouss <usebsd@free.fr>
Subject: Re: Passive mode ftp
From: horio shoichi <horio@acm.org>
Date: Tue, 22 Aug 2000 17:20:17 +0900
Cc: "Firewalls (E-mail)" <Firewalls@Lists.GNAC.NET>

    [ The following text is in the "iso-2022-jp" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

mouss wrote:
> 
> which may be stated as follows:
> - passive mode is better when the FW protects clients.
> - active mode is better when the FW protects servers.
> 
> but designing a new protocol would be better than both modes.

Although in principle it is possible to request data port connection 
from separate IP, I wonder if it is reality. If the server "deviates"
from rfcs only in this respect, that is, data connection must come 
from the same host as control, much of passive mode headache can be
eliminated. Because: 1) PASV data ports may be chosen from small range
(say 100), and said data ports can be constantly listened and can perform
accept-fork loop.

This way holes for data ports on external router can be made small, 
the holes may all be listened thus cannot be listened unknowingly, 
and the connecting peer ip (but not port number) can be authenticated.
Also, most ftp clients won't be affected.

How do you think this for tentative work around for ftp server difficulty ?

horio shoichi
-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

Prev by Date: Strength of 3 NIC firewall (was Re: IP addressing on firewall)
Next by Date: Re: Strength of 3 NIC firewall (was Re: IP addressing on firewall)
Prev by thread: Re: Passive mode ftp
Next by thread: Re: Passive mode ftp
Index(es):
- Date
- Thread