On Sat, Nov 24, 2001 at 02:05:31PM +0200, Tzafrir Cohen wrote:
> The problem is that passive-mode FTP is just as big a hole to the server
> (it has to allow connections to any high port)
Yes, but hardeing one server is easier than a lot of client networks.
> Those servers are relatively rare, because web browsers tend to use only
> passive-mode ftp (right?)
Well, IE can switch to active mode.
> [ at the expense of a more complicated system and extra CPU and disk space ]
Proxies do not need to store the file, so no disk is needed. The CPU load is
not very high if you have a FTP Proxy which is only parsing the command
connection and establishing "port forward" rediretions.
> [ read: big brother ]
read: malware detection
> Squid and similar http proxies can be a sort-of a ftp-proxy.
Yes, but they are not realy secure nor do they support reverse proxy.
Currently there is FWTP ftp-gw, SuSE Proxy Suite and jftpgw and juniper
which can be considered (more or less) stable and secure for ALG.
It is even better to not use FTP at all.