Firewall Wizards mailing list archives
Re: automated updating
From: Justin Smith <jds () gwi net>
Date: Thu, 11 Jan 2001 11:39:27 -0500 (EST)
On Thu, 11 Jan 2001, sh lee wrote:
I have a virus scanner in my web server in the DMZ which requires automated updating using ftp to the vendor's server. I know there is a risk if I opened the FTP service at the FW but what's the other alternative then ?
If you are ftp'ing OUT, you do not need to enable ftpd. If I am not understanding you and the automated update ftp's FROM the vendor, you can implement tcpwrappers for ftp so that only connections from the vendor's ftp server is allowed to connect. This is done using tcpd and the hosts.allow/deny files in BSDi (think its pretty much the same thing in FreeBSD?) and tcpwrap in other OSes. You could also perform the source ip check in your packet filter rules, if you are using a packet filter. -jds _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- automated updating sh lee (Jan 11)
- Re: automated updating Justin Smith (Jan 12)
- Re: automated updating R. DuFresne (Jan 12)
- <Possible follow-ups>
- Re: automated updating Yoann LeCorvic (Jan 12)
- RE: automated updating Ben Nagy (Jan 12)