Re: ip_masq_ftp

To: Tzafrir Cohen <tzafrir@technion.ac.il>
Cc: Iain <iain@minihub.org>, debian-firewall@lists.debian.org
Subject: Re: ip_masq_ftp
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Sat, 24 Nov 2001 15:29:25 +0100
Message-id: <[🔎] 20011124152925.A18497@lina.inka.de>
In-reply-to: <[🔎] Pine.GSO.4.33_heb2.09.0111241352440.10801-100000@techunix.technion.ac.il>
References: <[🔎] 20011124072634.A5015@lina.inka.de> <[🔎] Pine.GSO.4.33_heb2.09.0111241352440.10801-100000@techunix.technion.ac.il>

On Sat, Nov 24, 2001 at 02:05:31PM +0200, Tzafrir Cohen wrote:
> The problem is that passive-mode FTP is just as big a hole to the server
> (it has to allow connections to any high port)

Yes, but hardeing one server is easier than a lot of client networks.

> Those servers are relatively rare, because web browsers tend to use only
> passive-mode ftp (right?)

Well, IE can switch to active mode.

> [ at the expense of a more complicated system and extra CPU and disk space ]

Proxies do not need to store the file, so no disk is needed. The CPU load is
not very high if you have a FTP Proxy which is only parsing the command
connection and establishing "port forward" rediretions.

> [ read: big brother ]

read: malware detection

> Squid and similar http proxies can be a sort-of a ftp-proxy.

Yes, but they are not realy secure nor do they support reverse proxy.
Currently there is FWTP ftp-gw, SuSE Proxy Suite and jftpgw and juniper
which can be considered (more or less) stable and secure for ALG.

It is even better to not use FTP at all.

Greetings
Bernd

Reply to:

References:
- Re: ip_masq_ftp
  - From: Bernd Eckenfels <lists@lina.inka.de>
- Re: ip_masq_ftp
  - From: Tzafrir Cohen <tzafrir@technion.ac.il>

Prev by Date: Re: ip_masq_ftp
Next by Date: Samba (offtopic)
Previous by thread: Re: ip_masq_ftp
Next by thread: Samba (offtopic)
Index(es):
- Date
- Thread