Firewall Wizards mailing list archives
Re: Active to Passive FTP translator?
From: David Pick <d.m.pick () qmul ac uk>
Date: Tue, 26 Nov 2002 16:10:47 +0000
I am just curious at the real threat of allowing non passive FTP connections from clients.
The biggest threat is that you lose the ability, with many firewalls, of controlling a fair slice of incoming calls. If you want to have a client that can call out in active mode you have to have a firewall that allows the data calls from the server(s) back to your client. These incoming calls will be from the servers to a TCP port chosen dynamically from a specific range that should be documented for the FTP client; however, these ranges vary between clients and/or the OS used to support the client. So you have to allow incoming calls to a range of TCP port numbers and that may leave you more or less vulnerable depending on your prior knowledge of the FTP servers, &c, &c. Active FTP with a firewall that is sensitive to the content of the FTP control connection is as safe as you can readily get. In fact, in these circumstances, it makes little difference if you use active or passive FTP. Also (of course!) the choice of client program makes a difference - a buggy program will be less safe that a reliable one! -- David Pick _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Active to Passive FTP translator? Dawes, Rogan (ZA - Johannesburg) (Nov 25)
- Re: Active to Passive FTP translator? Mikael Olsson (Nov 25)
- Re: Active to Passive FTP translator? Magosányi Árpád (Nov 25)
- <Possible follow-ups>
- RE: Active to Passive FTP translator? Scott, Richard (Nov 26)
- Re: Active to Passive FTP translator? David Pick (Nov 26)
- Re: Active to Passive FTP translator? Mikael Olsson (Nov 26)
- Re: Active to Passive FTP translator? Mikael Olsson (Nov 27)