Re: firewall rules for FTP

Subject: Re: firewall rules for FTP
From: Christopher E. Brown (cbrown@woods.net)
Date: Thu Mar 21 2002 - 01:07:12 AKST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Craig Callender: "Re: anyone running text only versions?"
• Previous message: Christopher E. Brown: "Re: anyone running text only versions?"
• In reply to: Jason Jeremias: "Re: firewall rules for FTP"
• Reply: Christopher E. Brown: "Re: firewall rules for FTP"
• Reply: Christopher E. Brown: "Re: firewall rules for FTP"

On 20 Mar 2002, Jason Jeremias wrote:
> 3) Use a stateful firewall to simplify the issue, Cisco PIX, iptables,
> and many others are stateful. Stateful monitors the outgoing FTP
> control so it knows to allow the data connection back in.

I have to take exception with part of this statement. Linux iptables
is a stateful traffic monitor and filter control on a stateless
routing stack. A good and well loved thing.

The cisco PIX *IS NOT* a proper router. The PIX is a *stateful*
device, in most configurations acting as a double blind PROXY (done at
high rate due to hardware assist).

So, to restate, Linux + ipfilter is a stateless router with stateful
controls and filters. A PIX is a stateful device pretending to be a
router, that also filters. (The double spoof that a firewalling PIX
does introduces issues, your IP stack is not talking to the end point.
Your IP stack is talking to the PIX and the end point is talking to
the PIX. It just rewrites things to hide this fact.)

-- 
I route, therefore you are.

• Next message: Craig Callender: "Re: anyone running text only versions?"
• Previous message: Christopher E. Brown: "Re: anyone running text only versions?"
• In reply to: Jason Jeremias: "Re: firewall rules for FTP"
• Reply: Christopher E. Brown: "Re: firewall rules for FTP"
• Reply: Christopher E. Brown: "Re: firewall rules for FTP"

This archive was generated by hypermail 2a23 : Thu Mar 21 2002 - 01:27:05 AKST