On Fri, Dec 22, 2000 at 04:37:06PM -0500, Michael H. Warfield wrote:
> I must be missing something in this thread. Isn't this what
> stateful inspection is for? When you see a PORT command on an FTP
> control channel connection issued to a particular address and specifying
> a particular address and port, then you open a rule for that specific
> data connection which you then tear down after it's done.
Yes, but any program running on the inside which can make connections to the
outside (like for example a Java Applet or even a clever formed HTTP URL
where one of your users clicks on it) will trick the firewall into opening a
holw directly into your system. Generally you should only allow PASV FTP
from your internal network to the outside, and make your FTP servers accept
that (which means they have to be hardened).
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
