[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ip_masq_ftp

On Sat, Nov 24, 2001 at 02:05:31PM +0200, Tzafrir Cohen wrote:
> The problem is that passive-mode FTP is just as big a hole to the server
> (it has to allow connections to any high port)

Yes, but hardeing one server is easier than a lot of client networks.

> Those servers are relatively rare, because web browsers tend to use only
> passive-mode ftp (right?)

Well, IE can switch to active mode.

> [ at the expense of a more complicated system and extra CPU and disk space ]

Proxies do not need to store the file, so no disk is needed. The CPU load is
not very high if you have a FTP Proxy which is only parsing the command
connection and establishing "port forward" rediretions.

> [ read: big brother ]

read: malware detection

> Squid and similar http proxies can be a sort-of a ftp-proxy.

Yes, but they are not realy secure nor do they support reverse proxy.
Currently there is FWTP ftp-gw, SuSE Proxy Suite and jftpgw and juniper
which can be considered (more or less) stable and secure for ALG.

It is even better to not use FTP at all.


Reply to: