Re: stateful firewall
On Thu, Mar 22, 2001 at 08:37:18AM +0200, Michael Wood wrote:
> e.g. filtering FTP traffic properly. With a stateless firewall,
> you either have to allow only active FTP sessions into your
> network from the outside if you have an internal FTP server for
> some reason, and passive FTP sessions from the inside to
> external FTP servers, or you have to allow anyone to connect to
> any high port on any of your internal machines. With a stateful
> packet filter that understands the FTP protocol, you can just
> tell it to allow FTP connections and not have to open up huge
> ranges of ports that actually have nothing at all to do with
> FTP, but could be used in transferring FTP data.
In a way, 2.2 already had something similar. Masq+Masq_ftp.
You can even masq only ftp, and get the benifit. Though, this is a
workaround, it does help.