[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Qube2 - IP Firewall question - opening port 20
- Subject: [cobalt-users] Qube2 - IP Firewall question - opening port 20
- From: "dr. mikey" <mikey@xxxxxxxxxxxxxxxxx>
- Date: Tue Jan 9 16:32:01 2001
- Organization: biosearch technologies, inc.
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
dear all,
we have been having trouble with an offsite user accessing our qube2's
ftp server over the internet, where he can connect fine but generates a
425 error ("Can't open data connection"). after a bit of sleuthing
online (e.g.,
http://support.microsoft.com/support/kb/articles/q271/0/78.asp and
http://www.linuxtech.ch/news/comp.os.linux.misc/2000111902452700.shtml)
i have learned that it is a result of passive/active mode ftp transfers
and access to port 20 through the ip firewall. this in turn leads to
two possible solutions: the first is to set the ftp client's preferences
to allow passive mode transfers ("PASV"), the other is to open port 20
in the qube's ip firewall to incoming tcp connections.
now, being less than a lynux expert, i originally used cobalt's online
ip filter wizard (http://www.cobalt.com/support/tools/firewall.html) to
generate our rules, which do not include a rule allowing incoming
connections on port 20.
thus, at long last, do we arive at my actual questions, namely: is
there a security reason for not opening port 20 (i already have
anonymous ftp turned off for this reason)? if not, then why didn't the
cobalt ip filter wizard have port 20 open from the beginning? and
lastly, which is better, allowing port 20 or forcing users to use PASV
mode? as always, your thoughts and advice are greatly appreciated.
thanks for the help,
mikey.
--
mike songster <mikey@xxxxxxxxxxxxxxxxx>
work1: http://www.biosearchtech.com
work2: http://www.chem.umn.edu/orgs/ampepsoc
spinning and spinning and spinning around...
the feelies