Firewall Wizards mailing list archives

Re: automated updating

From: Justin Smith <jds () gwi net>
Date: Thu, 11 Jan 2001 11:39:27 -0500 (EST)



On Thu, 11 Jan 2001, sh lee wrote:

I have a virus scanner in my web server in the DMZ which
requires automated updating using ftp to the vendor's
server. I know there is a risk if I opened the FTP service
at the FW but what's the other alternative then ?


If you are ftp'ing OUT, you do not need to enable ftpd. If I am not
understanding you and the automated update ftp's FROM the vendor, you can
implement tcpwrappers for ftp so that only connections from the vendor's
ftp server is allowed to connect. This is done using tcpd and the
hosts.allow/deny files in BSDi (think its pretty much the same thing in
FreeBSD?) and tcpwrap in other OSes. You could also perform the source ip
check in your packet filter rules, if you are using a packet filter.

-jds



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

automated updating sh lee (Jan 11)
- Re: automated updating Justin Smith (Jan 12)
- Re: automated updating R. DuFresne (Jan 12)
- <Possible follow-ups>
- Re: automated updating Yoann LeCorvic (Jan 12)
- RE: automated updating Ben Nagy (Jan 12)