Tom's Hardware > Forum > General Networking > Firewall > Netscreen Passive FTP question

Netscreen Passive FTP question

Forum General Networking : Firewall - Netscreen Passive FTP question

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   09-17-2005 at 03:39:57 AM

Archived from groups: comp.security.firewalls (More info?)

 

I'm still kinda new at this so bear with me. Have a Netscreen 5GT and
we're setting up a Linux FTP server on our DMZ. We will have the
Linux server configured for pasv ftp. My question is regarding the
firewall config...do I need to allow all ports over 1024 to the FTP
box? Or is there something the netscreen does automatically so I
don't have to open all those ports? My understanding is the pasv ftp
server will tell the client what port above 1024 to use so we need
those ports open to the box...can the netscreen "see" this request and
automatically open the proper ports? Or am I reaching here?

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   09-17-2005 at 03:36:23 PM
- 0 +

Archived from groups: comp.security.firewalls (More info?)

 

The Other Mike <noone@verizon.net> wrote:
> I'm still kinda new at this so bear with me. Have a Netscreen 5GT and
> we're setting up a Linux FTP server on our DMZ.

Please think about the fact, that FTP is very ugly, and there are much
easier protocols out there, like HTTP/WebDAV, and much more secure ones
like HTTPS, SSH/SCP or SFTP.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Reply to Anonymous
Anonymous   09-17-2005 at 06:44:19 PM
- 0 +

Archived from groups: comp.security.firewalls (More info?)

 

I realize that...and we'll go to that in the future...but for right
now, I just need the question answered.

On 17 Sep 2005 09:36:23 +0200, Volker Birk <bumens@dingens.org> wrote:

>Please think about the fact, that FTP is very ugly, and there are much
>easier protocols out there, like HTTP/WebDAV, and much more secure ones
>like HTTPS, SSH/SCP or SFTP.

Reply to Anonymous
Anonymous   09-18-2005 at 04:50:47 PM
- 0 +

Archived from groups: comp.security.firewalls (More info?)

 

The Other Mike <noone@verizon.net> wrote:
[FTP server]
> but for right
> now, I just need the question answered.

Then perhaps this will help you:

http://5xt.support.netscreen.safeh [...] s10198.htm

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Reply to Anonymous
Anonymous   09-19-2005 at 04:11:56 AM
- 0 +

Archived from groups: comp.security.firewalls (More info?)

 

Thanks for the link...but I have reviewed this already and it doesn't
specifiy anything about passive ftp. I'm concerned about specifically
a pasv ftp setup...I know this procedure will work with active ftp
....but with a passive setup, do I need to open up the additional above
1024 ports? Or does the firewall handle this?

On 18 Sep 2005 10:50:47 +0200, Volker Birk <bumens@dingens.org> wrote:

>The Other Mike <noone@verizon.net> wrote:
>[FTP server]
>> but for right
>> now, I just need the question answered.
>
>Then perhaps this will help you:
>
>http://5xt.support.netscreen.safeharbor.com/knowbase/root/public/ns10198.htm
>
>Yours,
>VB.

Reply to Anonymous
Anonymous   09-19-2005 at 06:56:23 PM
- 0 +

Archived from groups: comp.security.firewalls (More info?)

 

The Other Mike <noone@nowhere.net> wrote:
http://5xt.support.netscreen.safeh [...] s10198.htm
> Thanks for the link...but I have reviewed this already and it doesn't
> specifiy anything about passive ftp. I'm concerned about specifically
> a pasv ftp setup...I know this procedure will work with active ftp
> ...but with a passive setup, do I need to open up the additional above
> 1024 ports? Or does the firewall handle this?

Sorry. I can explain to you, how passive FTP works (RFC 959), but
I usually don't use this netscreen stuff, so I know perhaps too less
about this special device to help you.

With passive FTP, the FTP server tells the client, on which (random)
port it will listen for the data connection. A firewall therefore must
read the FTP command traffic, so it then can (statefully) allow the
data connection.

It is not a good idea to unblock anything above 1024, though.

So perhaps it will be best to read the netscreen documentation, how to
activate stateful handling of the FTP protocol, also for passive FTP
connections. I guess, they will have one (in fact, I thought, that this
is enabled as described in the above link).

Are you sure, that your firewall does this not automatically without
the need to configure something speacial, if you allow FTP?

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Reply to Anonymous
Anonymous   09-19-2005 at 06:56:24 PM
- 0 +

Archived from groups: comp.security.firewalls (More info?)

 

No...I don't know this which is why I posted the question. I've read
alot of the netscreen documentation and it says it "supports active
and passive ftp"....I'm just not sure if that means "stateful
handling". I guess I'll just give them a call. Thanks.


On 19 Sep 2005 12:56:23 +0200, Volker Birk <bumens@dingens.org> wrote:

>Are you sure, that your firewall does this not automatically without
>the need to configure something speacial, if you allow FTP?

Reply to Anonymous
Anonymous   09-19-2005 at 04:00:57 PM
- 0 +

Archived from groups: comp.security.firewalls (More info?)

 

"The Other Mike" <noone@nowhere.net> wrote in message
news:gcpri1hmpm2psfcic4sves81na2umj28b0@4ax.com...
> Thanks for the link...but I have reviewed this already and it doesn't
> specifiy anything about passive ftp. I'm concerned about specifically
> a pasv ftp setup...I know this procedure will work with active ftp
> ...but with a passive setup, do I need to open up the additional above
> 1024 ports? Or does the firewall handle this?

What version of code are you running? Late 4 and all 5. code should have
"application" settings besides just the service. When you select the FTP
application as well as the FTP service in your policy, it should take care
of that for you.

-Russ.

Reply to Anonymous
Ask the community Add a reply
Tom's Hardware > Forum > General Networking > Firewall > Netscreen Passive FTP question
Go to:

There are 912 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.416 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
How do I win badges?