At 10:11 04/12/00 -0500, Paul D. Robertson wrote:
>On Mon, 4 Dec 2000, Roy G. Culley wrote:
>
> > What about normal ftp (not PASV), IIOP, net-meeting, sun-rpc, etc?
> > Keeping state is necessary if you are to have any chance of allowing
> > these without opening up huge holes in your firewall.
>
>Allowing any of these other than perhaps net meeting *is* opening a huge
>hole in your firewall, and I wouldn't put all that much trust in net
>meeting. If you have to allow things like FTP or rpc then start
>questioning why you even _have_ a firewall, because you're likely relying
>on a placebo to cure you, and you have testicular cancer.
active ftp is a problem with stateless firewalls.
if you have a proxy or a stateful FW, then the fact that a connection
is outgoing or incoming is not that important. if someone can guess
on which port your client is listening, then he can guess other things
and can do other things.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
