[KLUG Members] FTP Question

Bryan J. Smith members@kalamazoolinux.org
Thu, 10 Jan 2002 09:22:37 -0500

Previous message: [KLUG Members] FTP Question
Next message: [KLUG Members] SmoothWall: Can't connect to my dialup ISP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Daniel Szalay wrote:
> I have a user that is trying to FTP files to a web site. The site uses
> passive FTP, which means after establishing a connection over port 21, it
> tries to open a subsequent connection on a random port from the unassigned
> blocks in the registered port range (1024 to 49151). The problem I'm having
> is I have to configure the proxy server (MS Proxy) to allow ALL of the
> unassigned port ranges for this to work (since it appears the admin of the
> web site has not limited the connection range his/her server will use).
> That's a lot of ports.

I know this is going to "sting" a bit but *DO*NOT* use MS Proxy Server. 
Not even Microsoft's newer Internet Security Architecture (ISA) products
is as not as capable, featured and no-where-near-as-fast as aged Linux
2.2/IPChains with Squid (let alone 2.4/Netfilter with Squid+add-on).  In
fact, MS solutions were of the _most_expensive_, _least_featured_ and
_dog_slow_ in the reviews.

There are various reviews of MS Proxy Server and MS ISA over at Network
World -- no wait -- they yanked them all within 3 months of publication
after Microsoft's citing of their EULA's section on "review without
approval."  [ NOTE:  You can still occassionally find
"comments/references" to the articles in other articles, especially on
Linux ;-P ]

If MS Proxy Server is not your call, you need to tell your "management"
that a MS Proxy solution is a huge-@$$ hole, in every way.  The only
reason most people don't hear about it is because Microsoft pulls out
the EULA and an army of lawyers (with the cash to pay them to outlast
the USDOJ ;-) everytime someone does a "unauthorized review" of it.  MS
ISA is no better either.

> I'm wondering if there are any security concerns (allowing the random
> selection of these ports), even though these are outbound connections that
> are opened only by (and after) a legitimate FTP session is established. Not
> to mention it's a lot of work entering all of the port groups.

Linux's masquerading FTP module has _no_problem_ with passive FTP for
me.  Not just on 2.4/Netfilter (which is far better, and handles active
FTP fairly well), but even 2.2/IPChains.

Sorry, I know this was a _bad_ response.  My appologies.

-- Bryan

P.S.  I don't know what the posting guidelines are here, but we run a
"PC_Support" list in Florida for everything technical, but clearly
non-Linux.  It is usually stocked with subscribers to other Florida
LUGs, as well as a few others (SVLUG to name one, even a few of you KLUG
guys, etc...).

-- 
Bryan J. Smith, Engineer          mailto:b.j.smith@ieee.org
AbsoluteValue Systems, Inc.       http://www.linux-wlan.org
SmithConcepts, Inc.            http://www.SmithConcepts.com

Previous message: [KLUG Members] FTP Question
Next message: [KLUG Members] SmoothWall: Can't connect to my dialup ISP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]