[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPF FTP configuration
That's the problem with the original (active mode) FTP. As the second
connection (the data connection) goes in the other direction, using an
arbitrary port, you have to either have a "smart" firewall that can listen
in on the FTP command protocol and figure out which TCP port that will be
used for the data connection... or just open up a large enough range of
ports. Something you don't want to your internal network.
Passive mode have both TCP session originating from the client, much
easier to handle (outgoing TCP can be considered "ok", security-policy
wise).
That's for clients. For FTP servers, the situation is a bit different, but
not much. For passive FTP from the outside, you really want a firewall of
the "smart" type, as you get another incoming TCP connection for the data
conn, and not to port 21. Active mode FTP is "ok", since your FTP server
will initiate the data connection to the outside, i.e permit the FTP
server to connect to just about anything on the outside and you're ok.
All that aside, what I'd do here is basically this:
FTP server - let it do FTP, using a reliable FTPserver software, and as
little else as possible. The fewer services it runs, the
less probability there is of them being compromised, right?
Firewall - permit the FTP server to connect freely outwards
permit others to connect to port 21 on the FTP server
-- this takes care of 'active mode FTP'
permit the FTP server to connect freely outwards -- as above
permit other to connecto to the FTP server, possibly only
on high ports (1024 and up), since most FTP clients only
select those.
-- this takes care of 'passive mode FTP'
As you can see for a FTP server, active is "nicer".
For clients (your typical network), passive is "nicer".
You want the control as much of the traffic as possible...
'nuff rambling. Good luck. :)
/H
On 6 Aug 2001, vedu hariths wrote:
> hmmm, you are correct. i was thinking the other way around. I guess My
> question was how do you specify the active passive thing. Do you you
> have to do this on the ftp server side and allow all traffic in ....or
> just restrict data.
> vh
>
>
>
> On 06 Aug 2001 15:33:30 +0200, Hakan Olsson wrote:
> > Uh... the actual question aside, do you really want to do that?
> >
> > Basically, you're "protecting" the _outer_ network from the _inside_,
> > which is probably not what you want. Unless you run a very odd network, I
> > really don't see it...
> >
> > Passive mode was created to resolve some of the nasty network behaviour of
> > active FTP, such as forcing us to open a large number of incoming ports
> > for the data session.
> >
> > Reversing the directions like this (in fact, it's directly opposite what
> > most others, including myself, do), leaves your internal network wide open
> > to connections to a large number of TCP ports, i.e attacks.
> >
> > /H
> >
> > On 6 Aug 2001, vedu hariths wrote:
> >
> > > Hi everyone, how does one specify in the ipf rules that we want to let
> > > machines inside a firewall do active FTP and outside the firewall only
> > > passive ftp? I do not need ipnat as the machines inside the firewall
> > > already have public ip addresses, so no need for mapping.
> > > Thank you,
> > > vh
> >
> > --
> > Håkan Olsson <ho@crt.se> (+46) 708 437 337 Carlstedt Research
> > Unix, Networking, Security (+46) 31 701 4264 & Technology AB
> >
> >
>
>
>
--
Håkan Olsson <ho@crt.se> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB