Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
RE: [suse-security] probs with ftp-masquerading
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Tue, 22 Jan 2002 03:28:54 +0100 (MET)
  • Message-id: <Pine.LNX.4.44.0201220326450.4470-100000@xxxxxxxxxxxx>
> Well, of course this is a possibility. But I'm not looking forward to
> explain all the users that they HAVE to use passive mode. I don't know what
> you work, but normally you have a few absolute Idiots in front of the PCs.
> And, what's more, I'd like to repair the cause, not to do workarounds at the
> symptoms :-)
> Stephan

Well, from the security standpoint, passive mode is always preferrable as
opposed to PORT mode. The reason is very simple: You don't really want
some enitity outside to be able to open tcp connections to the inside.

If you carefully send ftp protocol data through a ftp masquerading router,
you can shoot open as many ports as you like. With some restrictions of
course, but still.


< Previous Next >