Firewall Wizards mailing list archives
Re: PASSV (passive mode) FTP through routers/firewalls
From: Leonard Miyata <leonard () geminisecure com>
Date: Wed, 16 Jun 1999 11:59:47 -0700 (PDT)
As far as the Client side is concerned, the vulnerability of high port probing can be reduced through the use of a Proxy Application (such as SQUID) running on a bastion host in the DMZ. SQUID supports FTP GET from the common browsers (IE3, IE4 and Netscape Navigator 4.X) The screend routers would be set so that the inside can only talk to the bastion host, and only the bastion host can go out to the Internet. As far as exposure is concerned, only the bastion host is visable and exposed to probes. Vulnerabilities to the SUN FTP Server I will leave to people with more experience in the subject.... Personal Opinions Provided by Leonard Miyata aka leonard () geminisecure com Gemini Computers Inc. On Wed, 16 Jun 1999, Riley, Larry wrote:
I have a question about allowing PASSV (passive mode) FTP through routers/firewalls. We have an client who needs to be able to retrieve files via FTP from our ftp server. As of yet, they have been unable to do so, due to the fact that they only allow PASSV (passive mode) FTP through their router/firewall, and our server currently refuses permission for passive FTP. I found some information indicating that in order to enable passive FTP on our server, we would have to give world write permissions to the pseudo-device /dev/tcp. This is apparently an artifact of Solaris Off the cuff, it strikes me that this permissioning might be a security concern. Arguably it is a bit more secure from the customer's point of view for them to allow only PASSV mode. Since they only have a router and not a stateful firewall, they would have to open TCP high ports, which would leave them vlunerable to TCP high port probing and denial of service attacks on their internal hosts. Does anyone have any words of wisdom whether we should enable passive mode in this situation? Thanks
Current thread:
- PASSV (passive mode) FTP through routers/firewalls Riley, Larry (Jun 16)
- Re: PASSV (passive mode) FTP through routers/firewalls Leonard Miyata (Jun 20)
- Re: PASSV (passive mode) FTP through routers/firewalls Kevin Steves (Jun 20)