Find the answer to your Linux question:
Results 1 to 7 of 7
Here is an odd one. I have a cisco pix that is my worst nightmare. I cant seem to get it to allow PASV FTP traffic to the production server ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2007
    Posts
    7

    Box as a stand alone FTP (outside the firewall)


    Here is an odd one. I have a cisco pix that is my worst nightmare. I cant seem to get it to allow PASV FTP traffic to the production server that I was trying to set up FTP on. I gave up and thought, why not put a Linux box on the one of the other interfaces of my T1 wic, give it a public IP. Then add a second nic ont the linux box configured and wired to my LAN. Wouldnt this be the same as a Firewall only with no routing? Does anyone think this is just stupid or insane?

    I thought perhaps it might be safer this way. If someone hacked the linux box, I wouldnt care. If they hacked my win boxes i'd be in trouble.

    Thanks.

  2. #2
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,846
    I have this situation with my Neverwinter Nights server. It's sat outside my firewall on a public IP address of its own.

    There's nothing wrong with doing this, the trick is to make sure you have nothing on there that can be exploited - i.e. only install the bare minimum of packages. I went as far as to go through the auto installed stuff one by one and removed it.

    I firewalled it over, opened the specific ports to support the game only, and set up the SSH server (on an unusual port) and limited logins to my other public IP address only. The box has therefore become anonymous. It's hackable, for sure, but nobody would achieve anything, because there's nothing on there that I care about. And if it goes down, I can have it re-installed and running again in about an hour.
    Linux user #126863 - see http://linuxcounter.net/

  3. #3
    Just Joined!
    Join Date
    Oct 2007
    Posts
    7
    Is it possible to create users that can login to FTP and sytem users that are seperate? Are FTP users different from System users?

  4. #4
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,846
    In this situation, I wouldn't let users have regular accounts on the box - make them all local accounts, and keep them completely separate from regular/inside lan user accounts. You definitely want to enforce a strong password policy, and probably try to ensure their password on the ftp machine is different to their inside-lan one.
    Linux user #126863 - see http://linuxcounter.net/

  5. #5
    Just Joined!
    Join Date
    Oct 2007
    Posts
    7
    Thanks. There really wont be any inside users. I'll probably just set up a single internal account and use a script to get the FTP data and put it where it needs to go.

  6. #6
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Keep in mind that ftp is a clear-text protocol. If the files are sensitive in any way, you're going to want to require ftps (ftp over ssl/tls).

    Quote Originally Posted by SerialCoder
    If someone hacked the linux box, I wouldnt care.
    No need to let it come to that with the right precautions.

  7. #7
    Just Joined!
    Join Date
    Oct 2007
    Posts
    7
    This would be a service for our graphics / printing department. The users would be uploading files for production, then they can be wiped out. So the sensitivity isnt that big of a deal.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •