[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fully transparent ftp-proxy?

On Wed, Oct 30, 2002 at 10:52:28PM +0000, Roy Badami wrote:
> An imperfect kernel FTP proxy (as provided by iptables or ipfilter) is
> surely still better than nothing when firewalling an FTP server.  If
> the userland FTP proxy can't easily be made fully transparent, then a
> kernel FTP filter is still useful.
I agree, it's better than no firewall at all. But it's worse than a
firewall that reliably blocks access to some vulnerable ports, because
the in-kernel proxy could be tricked into opening those ports.
Of course, even a wet towel is better than no firewall.