On Wed, Oct 30, 2002 at 11:45:02PM +0000, Roy Badami wrote: > I don't understand. Why is firewalling my FTP server a bad idea?
I agree with filtering any ports not needed, like privileged ports where unneeded and potentially vulnerable services might listen which you can't disable. As for the port range used for passive ftp data connections, I think it's not worth the effort to achieve the little additional security by obscurity. And it's not more than that. If someone exploits your ftpd, he can easily transfer any data back and forth through the ftp control connection (using legal commands and replies, if the ftp proxy is clever), and tunnel anything through there. If all you want to achieve is break a stupid exploit script that insists on listening on port xyz (within the common range of ftp data ports), just move the range. Daniel