Paul-Andrew Joseph Miseiko
esoteric at teardrop.ca
Thu Jul 29 19:52:27 EDT 2004
Even a stateful solution creates a potential problem. Granted the
none-stateful approach creates a very apparent issue; a stateful approach
can still be used as a hole, but only by the remote ftp server.
In the end it just depends on how paranoid you are.
From: hybrid-bounces at lists.ircd-hybrid.org
[mailto:hybrid-bounces at lists.ircd-hybrid.org] On Behalf Of Jonathan R. Lusky
Sent: July 29, 2004 1:23 PM
To: General IRCD-Hybrid Discussion
Subject: Re: ircd-hybrid-7.1beta1 link
I'm sure the blackend problem is a firewall rule error and I've asked them
to look into it.
As for allowing in all traffic from port 20 (at the client's firewall)
to make active FTP work, that's generally a really bad idea. The correct
solution is to use a stateful firewall with an FTP ALG that will
dynamically open holes for the reverse connection.
Paul-Andrew Joseph Miseiko writes:
> You are probably correct about wget using active by default however fetch
> will use the environment variable "FTP_PASSIVE_MODE" to determine if it
> should use passive or active.
> I have intentionally disabled active ftp for years and noticed just last
> week that blackened for some odd reason goes against the trend and does
> support passive mode. Maybe they want to be the opposite of
> ftp.microsoft.com which supports passive mode but not active mode. :)
> To enable active FTP on your firewall all you need to do is allow incoming
> packets from port 20 (default circumstancesddddddddddddr(was trying to get
> breadcrumb from between two keys there)). People probably know now why
> people disable active FTP support. ;)
Jonathan R. Lusky lusky at blown.net
68 Camaro Convt - 350 / TH350 \_/ 2000 Mustang GT Convt - 4.6SOHC / T45
More information about the hybrid