euarrd@euas12g.ericsson.se (Richard Rosenlund) (07/13/89)
I Recently sent an article out on the Swedish backboone, but i didn't receive any answer to my question, so here it goes: Background: I wish to know, how to restrict FTP access so that it would be possible to deny FTP "GET" requests from outside a network. One way would be to use a Router. This may be "wrong thinking" but i thought it might be good to restrict incoming access of the "well known port" # 20, but during a couple of "shoots" here, i found out that port 20 always is opened by "FTP server". And that is independent in both cases (GET or PUT). Question: My question simply is: Does any one have suggestions on how to proceed ? Answers: Please send your answer directly with E-mail to: euarrd@euas12g.ericsson.se Thank you
roy@phri.UUCP (Roy Smith) (07/15/89)
In <2078@erix.ericsson.se> euarrd@euas12g.ericsson.se (Richard Rosenlund): > I wish to know, how to restrict FTP access so that it would be possible > to deny FTP "GET" requests from outside a network. The obvious way would be to hack your ftp server to look at the address of the connected client and refuse to process GET requests if the network didn't match your network. -- Roy Smith, Public Health Research Institute 455 First Avenue, New York, NY 10016 {att,philabs,cmcl2,rutgers,hombre}!phri!roy -or- roy@alanine.phri.nyu.edu "The connector is the network"
kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) (07/17/89)
In article <3865@phri.UUCP> roy@phri.UUCP (Roy Smith) writes: >In response to euarrd@euas12g.ericsson.se (Richard Rosenlund): >> I wish to know, how to restrict FTP access so that it would be possible >> to deny FTP "GET" requests from outside a network. > > The obvious way would be to hack your ftp server to look at the >address of the connected client and refuse to process GET requests if the >network didn't match your network. >-- Pardon me if I am really dense, but can't unauthorized GETs be avoided by requiring USER and PASSWORD? If you require login, you don't have to do source address checking on GET requests. It is more efficient to stop FTPs at initiation. You can disable anonymous FTP or do source address checking at login where USER is "anonymous". Routers aren't very good at limiting access by source address checking so long as they are *required* to support source routing. Hosts aren't very good either, if they don't tell applications like FTP about IP options like "source-routed". --Kent England