[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Any danger from these ports?

Am Do, den 13.01.2005 schrieb Charles R. Anderson um 4:47:

> > It is much better to use ip_conntrack_ftp iptables helper module and the
> > stateful capabilities of iptables (ESTABLISHED,RELATED) rather than to
> > "blindly" open a range of high ports. Why using ipchains, which is not
> > stateful, when having iptables?
> Because the box is a RHL 7.3 box and I was only familiar with ipchains
> at the time.  Because non-stateful firewalls by their very nature
> operate in a simpler manner that is less likely to break.  Because I
> know nothing besides FTP is using the passive port range I chose. 
> Note that I did qualify my statements with "If you are not using a
> stateful firewall with a FTP helper"...

I see.

> If I was going to set this up again today, I would probably use what
> you suggest.

Ok :) I should have made myself clearer. I was just arguing that
iptables is to be preferred - I recognized your "if clause". Why poking
a hole into the "firewall" if you don't have to? I see the background of
your description (RH7.3 and ipchains trained). Take my reply as an add
to your passive FTP packet filtering description - just matching
iptables on current Fedora Core systems.



Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.10-1.8_FC2smp 
Serendipity 13:57:37 up 2 days, 12:08, load average: 0.41, 0.54, 0.41 

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]