[geeks] ipfilter question - was:DHCP silliness
Chris Byrne
geeks at sunhelp.org
Sun Nov 25 14:01:49 CST 2001
Unfortunately that's pretty much how all non-stateful inspection firewalls
handle port mode FTP(stateful inspection firewalls do something similar for
EVERY packet). I generally recommend that clients restrict FTP to passive
unless there is a problem.
Chris Byrne
-----Original Message-----
From: geeks-admin at sunhelp.org [mailto:geeks-admin at sunhelp.org]On Behalf
Of dave at cca.org
Sent: 25 November 2001 18:11
To: geeks at sunhelp.org
Subject: Re: [geeks] ipfilter question - was:DHCP silliness
jdboyd at cs.millersville.edu writes:
>Hmm. Looking for information on what pasv means, I find that it appears
that
>linux's ip_masq can be set to eaves drop on ftp connections to allow normal
>mode to work. I bet that NetBSD can do the same thing, whenever I get it
>set up for NAT. I wonder how I set Mozilla and IE to pasv mode in the mean
>time...
In normal mode, a contacts b, asks for a file, b opens a new connection
back to a and sends the file. If a is beind NAT, its IP is obviously
bogus from b's point of view, and therefore unreachable.
In passive mode, a contacts b, ask for a file, b send it back along
the existing connection.
Snooping on ftp connections to "fix" that is insane. I don't want
my firewall being a wiseass about what's really hidden.
-------- David Fischer --------- dave at cca.org --------- www.cca.org --------
---------------------- "It's something to do." -Cerebus --------------------
_______________________________________________
GEEKS: http://www.sunhelp.org/mailman/listinfo/geeks
More information about the geeks
mailing list