I am using IPCop to feed a small network.
In its default state IPCop has all incoming ports closed and all outgoing ports open.
Following the advice that I see repeatedly in this newsgroup, I close all outgoing ports except those required for web access, e-mail, news and time, using IPTables. I also isolate one computer on the network completely from the internet. This all works very well
I now wish to use an ftp client (FileZilla), and I have opened outgoing port 21 for this purpose.
If I use the normal or active ftp mode, then, as I understand the matter, the ftp client will, after the command channel from a high-numbered local port and port 21 on the remote ftp server has been established, notify the remote ftp server of the port to use for transferring data. The data is then transferred by the remote ftp server from its port 20 to the port specified by the local ftp client. Unfortunately, as everyone knows, this link will not function because since it will be initiated by the remote ftp server it will be blocked by the firewall.
My first question is how do the professional security advisors overcome this problem? The only solution that I can think of is to forward incoming traffic from port 20 around the firewall - but this would presumably reduce security.
The next problem arises if I try to use the passive mode of ftp. In this mode, as far as I understand the matter, once the command channel has been established as for the active mode, the local ftp client sends a message (PASV) to the ftp server that it wishes to use the passive mode. The remote ftp server then notifies the ftp client of the port on which it will be listening so that the ftp client may initiate data transfer from that port.
The problem with this arrangement is that the local ftp client has to send a message to the port specified by the ftp server, but such a message will be blocked because all outgoing ports (except those for the web) are closed.
Again, I wonder how the professionals deal with this problem.
I ought to say that I have tried the IPCop mailing list but so far no one has had the time to reply. Hence, if any one on this news group could give me any guidance I would be very grateful.
Regards
Brian