On Friday 28 May 2004 12:50 pm, Peter Marshall wrote:
> I guess my question was is it advisable to only allow active ftp .... ? Or
> is that just not a reasonable idea ? Or does the Related option make
> passive "safe" (ie, don't have to open a load of ports).
I'd say passive is just as secure as active, and vice versa.
> I already had to open just about everything outgoing from my proxy server
> anyway, so I guess it is not a big deal ... *unless you have a better
> suggestion for that as well.
There's a big difference between opening up *outbound* ports from a proxy
server (where you can use the proxy server to decide what's safe and what
isn't), and allowing lots of traffic *through* your firewall.
Whether the proxy is running on the same machine as netfilter or not, you're
either placing rules in the OUTPUT chain (if it is), or you're specifying the
source IP with -s (if it isn't). Either way, you're not allowing any
greater access to any system other than the proxy, and of course you trust
that, or you wouldn't be using it :)
Regards,
Antony.
--
If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.
Please reply to the list;
please don't CC me.
