OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: FTP with firewall rules
From: Andre Gironda (andresun4c.net)
Date: Sat Apr 01 2000 - 22:08:28 CST

Yes, that's exactly it. Piercing firewalls is not always as
simple as passive vs active ftp.

Proxies are a great idea in most cases, although I think they're
a bit restrictive. But then again, do you really want people
using programs like httptunnel and creating a potential security
problem?

Have you seen http://www.detached.net/mailtunnel.html ?

Guess that means that UUCP mail through a dial up connection
isn't really that bad of an idea. Controlling what data is
*really* going through your network is more complex than you think.
Especially in this day and age.

dre

On Sat, Apr 01, 2000 at 05:02:17PM -0600, James Wyatt wrote:
> On Sat, 1 Apr 2000, Nate Williams wrote:
> > > export/setenv http_proxy!
> >
> > Huh?
> >
> > > of course, you have to find all of the distfiles manually, since only
> > > about 4% of them have an http site to download the source from.
> >
> > That's irrelevant. You can still download *ALL* of them via
> > passive-mode ftp. I have yet to find a site that didn't let me download
> > with ftp in passive mode, so if you are *truly* interested in security,
> > then you certainly don't want to open up so people can use active-mode
> > ftp from behind your firewall.
>
> Andre said his was a special case and that "it works though, but i doubt
> it's what you are looking for. i had to do this behind a firewall/proxy
> architecture that did not allow ftp."
>
> I took it to mean "*he* *has* to use HTTP to fetch because his firewall
> doesn't support *any* ftp" and that if there is some problem with active
> FTP it might still work. - Jy 

-- 
This program has been brought to you by the language C and the number F.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message