[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: Yudit text-editor
On Wed, 15 Jul 1998, Evgeny Stambulchik wrote:
> Eli Marmor <marmor@elmar.co.il> wrote:
> > > Here I always thought that passive mode (which most browsers use) is much
> > > more security-friendly than active - you haven't to allow connections to
> > > some strange ports at your site.
> > > Just to increase my sysadmin knowledge :) - which configuration might
> > > allow to serve vanilla FTP clients and refuse webbrowser's FTP?
> >
> > I don't know anything about passive/active, and this is not the
> > difference between browsers and FTP clients.
>
> AFAIK, that's the difference. At least, netscape by default uses the passive
> mode. When it connects to a ftp server that supports the passive connection, the
> server tells the client what (unprivileged) port to use for data transfers and
> bind()s to this port. The port number is choosen arbitrarily, so with a static
> firewall the only solution (AFAIK) is to allow all connections between any
> unpriviliged ports on both sides. This is far from being secure, of course.
> I'd be extremely happy to know if there is a better solution (with Linux
> ipfwadm, I mean).
>
> > The only problem is
> > that web browsers check many services (i.e. ping) and not only FTP
> > (20,21).
>
> I have to see such a browser yet. Not something that runs on U*ix, I believe.
Netscape 3.XX on Linux does just that, and causes Linuxes set up to dial
using /sbin/request-route with a ping packet 1st. The browser pings the
remote host before trying to establish a TCP connection. The idea is that
some TCP/IP stack combinations spend long minutes before giving up on a
connection that can't be established. The browser will ping the remote
host once before sending a request, every time the target domain changes,
and once again, after a certain delay of non-use (I think, 10 minutes in
Netscape). If the remote does not answer the ping, then the browser
reports a failure to reach the host. If required, the ping is preceded by
a DNS lookup. Thus, if a server is run in a domain that has no DNS and no
ping servers, then some users may not be able to reach it. Same thing if
the pages on it are linked to from another site (domain change).
Peter