[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is NFS export r/o safe from lan to dmz?

On Mon, Mar 03, 2008 at 12:03:32PM -0500, Douglas A. Tutty wrote:
> Wouldn't a chrooted ftp server do the same thing?  

ftp is a intrinsecally more complex protocol than http (see the problems
for firewalls with active/passive ftp; see the bounce scan possibilities
of the protocol, so that even the OpenBSD ftpd cannot fully implement
that part of the ftp protocol defined by the rfc; ...).

Moreover, the security history of ftp daemons is worse than the security
history of http daemons (and it is possibly even worse than the security
history of portmap/nfsd)

A _simple_ _mimimalistic_ implementation of a _simple_ protocol (by a
competent programmer) quite possibly has less programming errors than a
more complex program ("if debugging puts bugs out of programs, them
programming must put bugs in").

Chi usa software non libero avvelena anche te. Digli di smettere.
Informatica=arsenico: minime dosi in rari casi patologici, altrimenti letale.
Informatica=bomba: intelligente solo per gli stupidi che ci credono.

Reply to: