Re: FXP
On Wed, May 08, 2002 at 06:32:13PM +0200, Lukasz Wojcik wrote:
> Tu odpowiem Adrianowi:
> Zasadniczo nie trzeba nic specjalnego ustawiac w serwerach FTP by zlozyc polaczenie FXP.
Nieprawda.
http://proftpd.linux.co.uk/docs/faq/proftpdfaq-3.html#ss3.6
Domyślnie jest ta opcja wyłączona w ProFTPD, bo...
> Jesli chodzi o bezpieczenstwo to problemy sa te same co przy
> bezposrednich polaczeniach klient->serwer.
Nieprawda.
Normally, proftpd disallows clients from using the ftp PORT command
with anything other than their own address (the source address of the
ftp control connection), as well as preventing the use of PORT to
specify a low-numbered (< 1024) port. In either case, the client is
sent an "Invalid port" error and a message is syslog'd indicating
either "address mismatch" or "bounce attack". By enabling this
directive, proftpd will allow clients to transmit foreign data
connection addresses that do not match the client's address. This
allows such tricks as permitting a client to transfer a file between
two FTP servers without involving itself in the actual data
connection. Generally it's considered a bad idea, security-wise, to
permit this sort of thing.
AllowForeignAddress only affects data connection addresses; not tcp
ports. There is no way (and no valid reason) to allow a client to use
a low-numbered port in its PORT command.
Wanted
--
To UNSUBSCRIBE, email to debian-user-polish-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to:
- References:
- FXP
- From: "Adrian Merda" <merda@tubes.com.pl>
- Re: FXP
- From: Marcin Owsiany <porridge@debian.org>
- Re: FXP
- From: Lukasz Wojcik <wojcik@ikar.t17.ds.pwr.wroc.pl>