[GLLUG] Linux and ATTBI Question

C. Ulrich dincht@securenym.net
Sat, 28 Sep 2002 07:56:09 -0600


David Lee Lambert wrote:
> This leads to a question.  I'd like to allow FTP from the local network.
> I don't want to allow FTP from systems not on the local network;  first,
> it's insecure;  second, it's a real pain to configure;  third, it's not
> clear that it even works through the firewall.  I can make any files I
> want to available by HTTP,  and people with accounts can use SCP to copy
> files on and off the system.

There are a couple of ways to accomplish this.

1) The easiest and most secure way is to configure your firewall to not let
connections be initiated from the outside to ports that you don't specifically
allow.

2) Most programs that sit on a port and wait for traffic can be configured to
listen only on a particular address and/or interface. Usually, it's just a
single line in a config file.

3) Use NFS or Samba. :) NFS is fairly simple to set up, but the Linux
implementation can be rather... fragile. Samba's a safe bet if you already
know to set it up or don't mind doing some reading.

> Is there any way to have the FTP program give an informative error-message
> to people who try to connect from foreign networks,  while still allowing
> full access for users from the local net?

Generally, completely closing off the port to the outside is preferred from a
security point of view.

Hope this helps.

--C. Ulrich