Re: IPSec and Passive FTP
From: \ (dvader_at_deathstar.mil)
Date: 11/15/03
- Next message: T.R.: "Re: Zone Alarm Pro License key"
- Previous message: edo: "Kerio 4.0.7 vs. Kerio 2.1.5"
- In reply to: David: "Re: IPSec and Passive FTP"
- Next in thread: David: "Re: IPSec and Passive FTP"
- Reply: David: "Re: IPSec and Passive FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 15 Nov 2003 10:32:42 -0500
>This is one good example showing why IPSec alone does not make for a
>good firewall. The best way to go about it with IPSec is to block any
>high ports that you have static services listening on and allow high
>port-to-high port on the rest.
I get the picture, but not the method. How do you specify "high ports?" As far
as I can tell, I can only set single ports, one at a time, or all ports.
>Allowing a whole range of ports which do
>not have services listening on them does not expose your whole system.
>The best way to deal with FTP is to use a connection tracking firewall
>that has an alg which only allows for such connections in response to
>ftp port commands.
Yeah, I'm just trying to learn about IPSec, including its limitations. I have a
real firewall. :-)
-- Dave "Crash" Dummy - A weapon of mass destruction crash@gpick.com http://lists.gpick.com
- Next message: T.R.: "Re: Zone Alarm Pro License key"
- Previous message: edo: "Kerio 4.0.7 vs. Kerio 2.1.5"
- In reply to: David: "Re: IPSec and Passive FTP"
- Next in thread: David: "Re: IPSec and Passive FTP"
- Reply: David: "Re: IPSec and Passive FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
