Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: ftp server "best practice"
  • From: Stefan Andreas Tichy <listuser@xxxxxxxxx>
  • Date: Thu, 24 Jul 2003 17:11:14 +0200
  • Message-id: <20030724151114.GB15577@xxxxxxxxxxxxxxxx>
On Thu, Jul 24, 2003 at 08:44:02AM -0400, Daniel Nilsson wrote:
> The ftp server should be located at the main office, but I could use
> some recommendations on where to place this server. From reading mailing
> lists I understand the issue of active vs. passive ftp and placing the
> ftp server in the DMZ. I don't think I can ask our customers to toggle
> the active/passive flag of their ftp client since are customers are

Most ftp clients use passive ftp as a default. A exeption is the
client delivered by SUN for Solaris which does not even support passive
ftp. (may be solved with solaris 9)

There are firewalls in all the office locations. Therefore I assume
that only passive ftp is possible.


> usually not very computer savvy people. Putting an ftp server in the DMZ
> that supports both active and passive ftp seems tricky, does anyone have

Active ftp is not the problem on the server side. You have to allow
outgoing tcp connections. The firewall on the client side will have
to forward incoming tcp connections. Iptables can handle that, but
IMHO you should not use active ftp.

If it is passive ftp the port range used for data connections can be
specified in /etc/vsftpd.conf (pasv_min_port pasv_max_port). This
might be usefull.


> a recipe of how to make that work (using SuSEFirewall 2 on the firewall
> machine).

You may have to set up your own set of iptables rules.


There are already some mails listing alternatives to ftp. I don't
want to mention it again.


--
Stefan Tichy <listuser@xxxxxxxxx>

< Previous Next >
References