Re: [squid-users] ftp_passive

Hmmm... either way sounds like a security problem. To do it passive, I
would have to basically open all ports for outgoing, wouldn't I?

I have a Cisco PIX, so I have stateful packet filtering. How does that
change things? Going from port 21 to 20, does it still mark it as an
established connection?
Hmm... Time to do some testing...

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Colin Campbell" <sgcccdc@citec.qld.gov.au>
To: "Adam Lang" <aalang@rutgersinsurance.com>
Cc: "Squid-Users" <squid-users@squid-cache.org>
Sent: Thursday, June 07, 2001 7:31 PM
Subject: Re: [squid-users] ftp_passive

> Hi,
>
> On Thu, 7 Jun 2001, Adam Lang wrote:
>
> > What are passive connections?
>
> Ftp uses two data streams, one for passing commands around, the other for
> moving data. The command channel is handled by the ftpd listening on port
> 21.
>
> The data channel varies depending on whether you ask for passive ftp or
> not. When you request data in a non-passive environment, you client tells
> the server "I am listening on <ip-address> <port>". The server then
> connects FROM port 20 to the ip address and port specified by your client.
> This requires your "security device" to permit any host outside from port
> 20 to any host inside on any port > 1023. Somewhat of a hole.
>
> In passive mode, when you request a data transfer, the server tells the
> client "I am listening on <ip address> <port>". Your client then connects
> to the server on that IP and port and data flows.
>
> Colin
>
Received on Fri Jun 08 2001 - 13:57:02 MDT