Re: stateful firewall

To: debian-firewall@lists.debian.org
Subject: Re: stateful firewall
From: Mike Fedyk <mfedyk@matchmail.com>
Date: Thu, 22 Mar 2001 10:57:14 -0800
Message-id: <20010322105714.N27451@mikef-linux-x86>
Mail-followup-to: Mike Fedyk <mfedyk@matchmail.com>, debian-firewall@lists.debian.org
In-reply-to: <20010322083718.A3688@lion.kingsley.co.za>; from wood@kingsley.co.za on Thu, Mar 22, 2001 at 08:37:18AM +0200
References: <20010321162700.A10310@cory-l.petersen-arne.com> <20010322083718.A3688@lion.kingsley.co.za>

On Thu, Mar 22, 2001 at 08:37:18AM +0200, Michael Wood wrote:
> e.g. filtering FTP traffic properly.  With a stateless firewall,
> you either have to allow only active FTP sessions into your
> network from the outside if you have an internal FTP server for
> some reason, and passive FTP sessions from the inside to
> external FTP servers, or you have to allow anyone to connect to
> any high port on any of your internal machines.  With a stateful
> packet filter that understands the FTP protocol, you can just
> tell it to allow FTP connections and not have to open up huge
> ranges of ports that actually have nothing at all to do with
> FTP, but could be used in transferring FTP data.

In a way, 2.2 already had something similar.  Masq+Masq_ftp.

You can even masq only ftp, and get the benifit.  Though, this is a
workaround, it does help.

Mike

Reply to:

Follow-Ups:
- Re: stateful firewall
  - From: Daniel Stone <daniel@kabuki.openfridge.net>

References:
- stateful firewall
  - From: Cory Petkovsek <coryp@petersen-arne.com>
- Re: stateful firewall
  - From: Michael Wood <wood@kingsley.co.za>

Prev by Date: Re: Routing problem...
Next by Date: Re: stateful firewall
Previous by thread: Re: stateful firewall
Next by thread: Re: stateful firewall
Index(es):
- Date
- Thread