[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPF FTP configuration

To: Hakan Olsson <ho@crt.se>
Subject: Re: IPF FTP configuration
From: "Joshua b. Jore" <moomonk@greentechnologist.org>
Date: Mon, 6 Aug 2001 08:34:51 -0500 (CDT)
Cc: vedu hariths <hariths.1@osu.edu>, <misc@openbsd.org>

Oh hold on a second there. The 'high range' is 41953 - 65535 not 1025 -
65535. You could write

pass in proto tcp from any to any port 41952 >< 65535 flags S keep state
pass in proto tcp from any to any port 65535 flags S keep state
pass in proto tcp from any to any port = ftp flags S keep state

to handle the passive mode. The extra line for 65535 is needed since the
first rule isn't inclusive and you can't use 65536 as a bound.

Joshua Jore
Minneapolis Ward 3, precinct 10

"The irony of this man being imprisoned in the United States and longing
to return to once-Communist Russia so he can regain his right to free
speach is simply staggering."

On Mon, 6 Aug 2001, Hakan Olsson wrote:

> That's the problem with the original (active mode) FTP. As the second
> connection (the data connection) goes in the other direction, using an
> arbitrary port, you have to either have a "smart" firewall that can listen
> in on the FTP command protocol and figure out which TCP port that will be
> used for the data connection... or just open up a large enough range of
> ports. Something you don't want to your internal network.
>
> Passive mode have both TCP session originating from the client, much
> easier to handle (outgoing TCP can be considered "ok", security-policy
> wise).
>
> That's for clients. For FTP servers, the situation is a bit different, but
> not much. For passive FTP from the outside, you really want a firewall of
> the "smart" type, as you get another incoming TCP connection for the data
> conn, and not to port 21. Active mode FTP is "ok", since your FTP server
> will initiate the data connection to the outside, i.e permit the FTP
> server to connect to just about anything on the outside and you're ok.
>
> All that aside, what I'd do here is basically this:
>
>   FTP server - let it do FTP, using a reliable FTPserver software, and as
>                little else as possible. The fewer services it runs, the
>                less probability there is of them being compromised, right?
>
>   Firewall - permit the FTP server to connect freely outwards
>              permit others to connect to port 21 on the FTP server
>              -- this takes care of 'active mode FTP'
>
>              permit the FTP server to connect freely outwards -- as above
>              permit other to connecto to the FTP server, possibly only
>                on high ports (1024 and up), since most FTP clients only
>                select those.
>              -- this takes care of 'passive mode FTP'
>
> As you can see for a FTP server, active is "nicer".
> For clients (your typical network), passive is "nicer".
>
> You want the control as much of the traffic as possible...
>
> 'nuff rambling. Good luck. :)
> /H
>
> On 6 Aug 2001, vedu hariths wrote:
>
> > hmmm, you are correct. i was thinking the other way around. I guess My
> > question was how do you specify the active passive thing. Do you you
> > have to do this on the ftp server side and allow all traffic in ....or
> > just restrict data.
> > vh
> >
> >
> >
> > On 06 Aug 2001 15:33:30 +0200, Hakan Olsson wrote:
> > > Uh... the actual question aside, do you really want to do that?
> > >
> > > Basically, you're "protecting" the _outer_ network from the _inside_,
> > > which is probably not what you want. Unless you run a very odd network, I
> > > really don't see it...
> > >
> > > Passive mode was created to resolve some of the nasty network behaviour of
> > > active FTP, such as forcing us to open a large number of incoming ports
> > > for the data session.
> > >
> > > Reversing the directions like this (in fact, it's directly opposite what
> > > most others, including myself, do), leaves your internal network wide open
> > > to connections to a large number of TCP ports, i.e attacks.
> > >
> > > /H
> > >
> > > On 6 Aug 2001, vedu hariths wrote:
> > >
> > > > Hi everyone, how does one specify in the ipf rules that we want to let
> > > > machines inside a firewall do active FTP and outside the firewall only
> > > > passive ftp? I do not need ipnat as the machines inside the firewall
> > > > already have public ip addresses, so no need for mapping.
> > > > Thank you,
> > > > vh
> > >
> > > --
> > > Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
> > > Unix, Networking, Security      (+46) 31 701 4264        & Technology AB
> > >
> > >
> >
> >
> >
>
> --
> Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
> Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

References:
- Re: IPF FTP configuration
  - From: Hakan Olsson <ho@crt.se>

Prev by Date: Bio-keys/sony fiu-710
Next by Date: RE: IPF FTP configuration
Prev by thread: Re: IPF FTP configuration
Next by thread: RE: IPF FTP configuration
Index(es):
- Date
- Thread