Netscreen Passive FTP question

Please think about the fact, that FTP is very ugly, and there are much easier protocols out there, like HTTP/WebDAV, and much more secure ones like HTTPS, SSH/SCP or SFTP.

Yours, VB.

The Other Mike wrote: [FTP server]

Then perhaps this will help you:

Thanks for the link...but I have reviewed this already and it doesn't specifiy anything about passive ftp. I'm concerned about specifically a pasv ftp setup...I know this procedure will work with active ftp ....but with a passive setup, do I need to open up the additional above

What version of code are you running? Late 4 and all 5. code should have "application" settings besides just the service. When you select the FTP application as well as the FTP service in your policy, it should take care of that for you.

-Russ.

No...I don't know this which is why I posted the question. I've read alot of the netscreen documentation and it says it "supports active and passive ftp"....I'm just not sure if that means "stateful handling". I guess I'll just give them a call. Thanks.

The Other Mike wrote:

Sorry. I can explain to you, how passive FTP works (RFC 959), but I usually don't use this netscreen stuff, so I know perhaps too less about this special device to help you.

With passive FTP, the FTP server tells the client, on which (random) port it will listen for the data connection. A firewall therefore must read the FTP command traffic, so it then can (statefully) allow the data connection.

It is not a good idea to unblock anything above 1024, though.

So perhaps it will be best to read the netscreen documentation, how to activate stateful handling of the FTP protocol, also for passive FTP connections. I guess, they will have one (in fact, I thought, that this is enabled as described in the above link).

Are you sure, that your firewall does this not automatically without the need to configure something speacial, if you allow FTP?

Yours, VB.