Re: Active to Passive FTP translator?

[David Pick <d.m.pick () qmul ac uk>]

> I am just curious at the real threat of allowing non passive FTP connections
> from clients.

The biggest threat is that you lose the ability, with many
firewalls, of controlling a fair slice of incoming calls.

If you want to have a client that can call out in active
mode you have to have a firewall that allows the data calls
from the server(s) back to your client. These incoming calls
will be from the servers to a TCP port chosen dynamically
from a specific range that should be documented for the FTP
client; however, these ranges vary between clients and/or
the OS used to support the client. So you have to allow
incoming calls to a range of TCP port numbers and that may
leave you more or less vulnerable depending on your prior
knowledge of the FTP servers, &c, &c.

Active FTP with a firewall that is sensitive to the content
of the FTP control connection is as safe as you can readily
get. In fact, in these circumstances, it makes little
difference if you use active or passive FTP. Also (of course!)
the choice of client program makes a difference - a buggy
program will be less safe that a reliable one!

-- 
        David Pick

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards