ftp, pf, passive ftp and fetch
Greg Hennessy
Greg.Hennessy at nviz.net
Fri May 18 07:04:46 UTC 2007
> Hi,
> I'm trying to get ftp working from behind a pf firewall. I'm using
> pftpx on FreeBSD 6.2 for this. I believe i have passive working, one of my
> windows boxes goes passive and dies on active.
Command line FTP client in windows is active only.
> I've got three questions. First,
> portupgrade uses fetch for retrieval correct, if so i want it to use
> the -p (passive option) by default whenever it tries an ftp url.
gw2:~ # set | grep -i ftp
FTP_PASSIVE_MODE=1
> Second, ncftp i'd like to specify that it should use passive mode
connections
> by default as well.
gw2:~ # grep -i passive .ncftp/prefs_v3
passive=on
> Last, is active or passive ftp better in terms of security
> strictly from a firewall perspective, i know the protocol isn't secure?
Passive is less of a PITA, (that's not saying much).
One doesn't have to handle ingress traffic initiated from the server.
However one either has to leave high ports open or use a L7 proxy to
dynamically open
the firewall for each request, hence pftpx.
> If active ftp is better than passive does anyone have a ruleset with it?
> I'm using a block by default ruleset.
I haven't used active FTP for years TBH. I have had serious arguments with
vendors and suppliers who tried to insist on its use through environments I
have had responsibility for.
Greg
> Thanks.
> Dave.
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-pf
mailing list