Re: ftp, pf, passive ftp and fetch

Fri, 18 May 2007 12:34:44 -0700 

Hi Greg,
Thanks for your informative reply. You've convince me i'm going passive, that sentence it's less of a PITA i think did it. Right now ftp is proving to be just that, it's flakey some machines are fine with it, one windows box, xpsp2 and ie6 works fine, another same config can't resolve the ftp sites. And i guess i just won't use the ftp commandline option, i don't like it anyway i'm spoiled on ncftp. I've got pftpx going on the router, and have pf set up with the appropriate anchors, but clients are as i said flakey, one works fine, some work intermitantly and some don't work at all. It is perplexing. 
Thanks.
Dave.
----- Original Message ----- From: "Greg Hennessy" <[EMAIL PROTECTED]> 
To: "'Dave'" <[EMAIL PROTECTED]>; <freebsd-pf@freebsd.org>
Sent: Friday, May 18, 2007 3:04 AM
Subject: RE: ftp, pf, passive ftp and fetch



Hi,
    I'm trying to get ftp working from behind a pf firewall. I'm using
pftpx on FreeBSD 6.2 for this. I believe i have passive working, one of my 
windows boxes goes passive and dies on active.


Command line FTP client in windows is active only.


I've got three questions. First,
portupgrade uses fetch for retrieval correct, if so i want it to use
the -p (passive option) by default whenever it tries an ftp url.


gw2:~ # set | grep -i ftp
FTP_PASSIVE_MODE=1


Second, ncftp i'd like to specify that it should use passive mode

connections

by default as well.


gw2:~ # grep -i passive .ncftp/prefs_v3
passive=on



Last, is active or passive ftp better in terms of security
strictly from a firewall perspective, i know the protocol isn't secure?


Passive is less of a PITA, (that's not saying much).
One doesn't have to handle ingress traffic initiated from the server.

However one either has to leave high ports open or use a L7 proxy to
dynamically open
the firewall for each request, hence pftpx.


If active ftp is better than passive does anyone have a ruleset with it?
I'm using a  block by default ruleset.


I haven't used active FTP for years TBH. I have had serious arguments with
vendors and suppliers who tried to insist on its use through environments I 
have had responsibility for.



Greg





Thanks.
Dave.

_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"




_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to